Hi Emil, > Each empty non-terminal MUST have a corresponding NSEC3 RR, unless > the empty non-terminal is only derived from an insecure delegation > covered by an Opt-Out NSEC3 RR. > > If I understand the above correctly, NSEC3 records should not be created > for insecure delegations. > validns also recognize this as an error: > validns ../signed/example.com.zone.signed > ../signed/example.com.zone.signed:22: NSEC3 without a corresponding > record (or empty non-terminal) > > Any help will be highly appreciated.
Ah, opt-out with empty non terminals. Tricky business. From that quote (and some light reading) I can not derive the signer output is wrong. Basically that requirement explicitly does not apply here. I'm unsure why validns does not detect the empty non-terminal. But I admit further reading might be necessary to give a definitive answer. //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
