On 01.04.2014 17:09, Chris Thompson wrote:
On Apr 1 2014, Klaus Darilion wrote:
[...]
Nevertheless, it seems there are still two bugs:
1. The NSEC3 chain is not properly cleared when switching from
non-opt-out to opt-out
2. The NSEC3PARAM record always has the opt-out flag clear, even if
opt-out is activated.
That last, at least, is not a bug. It is mandated by RFC 5155 - see
section 4.1.2.
Indeed. Thanks. That's confusing. From the RFC:
The NSEC3PARAM RR contains the NSEC3 parameters (hash algorithm,
flags, iterations, and salt) needed by authoritative servers to
calculate hashed owner names
So it can be used to instruct the authoritative name server about
iterations, algorithm and salt, but not for flags. What is the reason
behind this rule?
This was really nic.at (and not example.com), wasn't it? Your domain
obfustication was half-hearted! I tried looking at it, but things
were changing too fast for me to get consistent results...
Yes, half hearted. It is now stable again. The "zombie" NSEC3 records
left over from a switch to opt-out were causing problems on validating
resolvers.
regards
Klaus
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
