nsec3 opt-out confusion (bug report)

Evan Hunt each at isc.org
Tue Apr 1 16:29:13 UTC 2014

> Nevertheless, it seems there are still two bugs:
> 1. The NSEC3 chain is not properly cleared when switching from 
> non-opt-out to opt-out

That does seem incorrect (though under the circumstances it may
be harmless).  Could you please report it to bind9-bugs at isc.org,
including details of how you made the changes?

> 2. The NSEC3PARAM record always has the opt-out flag clear, even if 
> opt-out is activated.

Not a bug, as noted elsewhere.

> Finally a question: The NSEC3 RFC allows a mixed opt-out mode within a 
> zone. Is this used by Bind or does Bind always either use opt-out or 
> non-opt-out?

BIND doesn't currently provide a mechanism for that. If it's something
you need, please send a feature request to bind-suggest at isc.org.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list