On Tue, Aug 30, 2016 at 6:32 PM, Yuri Schaeffer <y...@nlnetlabs.nl> wrote:
> Hi Emil, > > > Each empty non-terminal MUST have a corresponding NSEC3 RR, unless > > the empty non-terminal is only derived from an insecure delegation > > covered by an Opt-Out NSEC3 RR. > > > > If I understand the above correctly, NSEC3 records should not be created > > for insecure delegations. > > validns also recognize this as an error: > > validns ../signed/example.com.zone.signed > > ../signed/example.com.zone.signed:22: NSEC3 without a corresponding > > record (or empty non-terminal) > > > > Any help will be highly appreciated. > > Ah, opt-out with empty non terminals. Tricky business. From that quote > (and some light reading) I can not derive the signer output is wrong. > Basically that requirement explicitly does not apply here. > > I'm unsure why validns does not detect the empty non-terminal. But I > admit further reading might be necessary to give a definitive answer. > > //Yuri > > Actually validns error message suppose presence of empty non-terminals. In addition (I decided not to mention it in my initial email) BIND also do not sign these. It does not mean the ODS signer is doing the wrong thing, I only mention it as a reference to other interpretations on the RFC definition. Unfortunately the different interpretations break few of my tests on the signed zones which is not ideal. I presume in practice nothing will be broken in either way. > > _______________________________________________ > Opendnssec-user mailing list > Opendnssec-user@lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > >
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
