Hi Evan,
That's true there is a case here. This way around it makes sense to have that
rndc call. Thanks for clearing this one up.
Cheers,
--
Wolfgang Nagele
Senior Systems and Network Administrator
AusRegistry Pty Ltd
Level 8, 10 Queens Road
Melbourne, Victoria, Australia, 3004
Phone
Hi,
> NSEC3PARM is not supposed to be present in a unsigned zone. rndc doesn't
> add them to the zone. It tells the signing component to generate a NSEC3
> chain and when that is complete to add the NSEC3PARAM record.
Nothing says so in the specs: http://tools.ietf.org/html/rfc5155#section-4
Yo
Hi,
> NSEC3PARAM records should be generated by the signing software and
> not just be added to the zone.
Who says that? :) I think that is a matter of implementation and preference.
> Their presence/absence changes how
> the zone is served. In particular how negative and wildcard responses
> ar
Hi,
Ok that is already a bit better - at least saves a full sign with NSEC first.
Wondering though, from a user perspective sending in NSEC3PARAM from the
unsigned end seems like the most natural thing to do. Why complicate matters by
having to use rndc here?
Cheers,
--
Wolfgang Nagele
lt, opt-out, etc. based on this. I have tried this and
could not get it to work. The only way to use NSEC3 with the inline signer atm
is to run 'rndc -nsec3param' once the zone has been configured. Any hints?
Thanks,
--
Wolfgang Nagele
Senior Systems and Network Administrator
AusRegistry
6
176.6 0.0
14.|-- host-158.edge-fo.sfo1.verisign.com 0.0% 1 185.2 185.2 185.2
185.2 0.0
15.|-- g.gtld-servers.net 0.0% 1 178.8 178.8 178.8
178.8 0.0
Regards,
--
Wolfgang Nagele
Senior Systems and Network Administrator
AusRegistry Pty Ltd
Level 8, 10 Queens
6 matches
Mail list logo
