<div dir="ltr">Hello,<div><br></div><div>This one is easy to reproduce. </div><div><div>ods-ksmutil -V</div><div>opendnssec version 1.4.6</div></div><div><br></div><div>From kasp.xml:</div><div><div>                <Denial></div><div>                        <NSEC3></div><div>                                <OptOut/></div><div>                                <Resalt>P100D</Resalt></div><div>                                <Hash></div><div>                                        <Algorithm>1</Algorithm></div><div>                                        <Iterations>10</Iterations></div><div>                                        <Salt length="8"/></div><div>                                </Hash></div><div>                        </NSEC3></div><div>                </Denial></div></div><div><br></div><div>When the zonefile is signed, the NSEC3PARAM flag indicates OPT-OUT disabled (when it's enabled in the configuration).</div><div><br></div><div><a href="http://test.org">test.org</a>.       0       IN      NSEC3PARAM      1 0 10 e5d234b3dc0e03a3<br></div><div><br></div><div>The NSEC3 records though have it right.</div><div><br></div><div><a href="http://pufepsta7kv6r1uo2t3nchdkqpdhaqak.test.org">pufepsta7kv6r1uo2t3nchdkqpdhaqak.test.org</a>.      86400   IN      NSEC3   1 1 10 e5d234b3dc0e03a3  8a2j6ietl8fhltcfp1l25mf7qfu6dt69 A NS SOA MX RRSIG DNSKEY NSEC3PARAM<br></div><div><br></div><div>Can someone else confirm that behavior?</div><div><br></div><div>Happy holidays,</div><div>Emil</div></div>