It seems Bind is a bit broken. I just removed NSEC3 and added NSEC3
again with "1 0 10 BEEF", and suddenly all NSEC3 records had the opt-out
flag clear.
Then I changed NSEC3 params to "1 1 10 BEEF". Then almost all NSEC3
records had the opt-out flag set, but two NSEC3 records still had the
flag clear. These two NSEC3 records correspond with empty non-terminal
records for an insecure delegation (I guess they are not needed at all
as the delegation is insecure and were forgotten to be deleted)
Then I removed NSEC3 and added NSEC3 params "1 1 10 BEEF". This time all
the NSEC3 records had the opt-out flag set, but the NSEC3PARAM record shows:
NSEC3PARAM 1 0 10 BEEF
Thus, it seems that I had opt-out activated, but the broken NSEC3PARAM
header made me believe that opt-out was not enabled.
Nevertheless, it seems there are still two bugs:
1. The NSEC3 chain is not properly cleared when switching from
non-opt-out to opt-out
2. The NSEC3PARAM record always has the opt-out flag clear, even if
opt-out is activated.
Finally a question: The NSEC3 RFC allows a mixed opt-out mode within a
zone. Is this used by Bind or does Bind always either use opt-out or
non-opt-out?
Thanks
Klaus
On 01.04.2014 15:35, Klaus Darilion wrote:
Hi!
I use Bind 9.9.5 for inline signing. The zone is configured to use NSEC3
without opt-out:
example.com 0 IN NSEC3PARAM 1 0 10 BEEF
Nevertheless, most of the resulting NSEC3 records have the opt-out bit
set and insecure delegations are indeed skipped (no NSEC3 records for
insecure delegations), eg:
V24FPFCF9JU69PJH09ID0VEGDKLSN410.nic.at. 900 IN NSEC3 1 1 10
BEEF 0OTL3SD4PC0BGU4IVRM0DI2OV4DE8QQN A RRSIG
The only NSEC3 records having the opt-out bit cleared are the NSEC3
records for empty non-terminals, eg:
V1PD6GJFRL9AKKJLS8SLSFGE4D506CFN.example.com. 900 IN NSEC3 1 0
10 BEEF V24FPFCF9JU69PJH09ID0VEGDKLSN410
So, I am confused.
1. Why does Bind uses opt-out although it is configured to not use opt-out?
2. What would be the behavior for empty non-terminal NSEC3 records if
opt-out is enabled? Would the generated NSEC3 record still have the
opt-out bit cleared?
Thanks
Klaus
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
