> > To answer the question, those values are the NSEC3PARAM data for the
> > zone, as defined in RFC 5155. [...] flags of 1 means opt-out and 0
> > means no opt-out;
>
> It is not exactly what the RFC says:
>
>The Opt-Out flag is not used and is set to zero.
True. I oversimplified a bit.
W
On Sat, Feb 20, 2010 at 12:31:38AM +,
Evan Hunt wrote
a message of 36 lines which said:
> To answer the question, those values are the NSEC3PARAM data for the
> zone, as defined in RFC 5155. [...] flags of 1 means opt-out and 0
> means no opt-out;
It is not exactly what the RFC says:
> NSEC only DNSKEYs and NSEC3 chains not allowed
That should've been worded or at least punctuated better. "NSEC-only
DNSKEYs not allowed with NSEC3 chains", perhaps. It means you're using
at least one DNSKEY with an algorithm that predates NSEC3, and therefore
your zone can't have a valid NSEC3
On Fri, 19 Feb 2010, Shane W wrote:
algorithm of 1 means use SHA-1 for hashing names; flags of 1 means opt-out
and 0 means no opt-out; iterations indicates how many times to repeat the
Hmm, when attempting to add a nsec3param via nsupdate, I
get:
NSEC only DNSKEYs and NSEC3 chains not allowed
>If you wish to sign using NSEC3 instead of NSEC, you should add an
>NSEC3PARAM record to the initial update request. If you wish the NSEC3
>chain to have the OPTOUT bit set, set it in the flags field of the
>NSEC3PARAM record.
> % nsupdate
> > ttl 3600
> --- cut dn
5 matches
Mail list logo
