[Opendnssec-develop] opt-out

Jelte Jansen jelte at NLnetLabs.nl
Tue Mar 24 10:14:31 UTC 2009


regarding opt-out, at the moment the signer does set the opt-out bit in
NSEC3 records if so specified by the xml config file, but it doesn't
actually opt out anything; it still creates NSEC3 records for each name
and each nonterminal in the zone. Now originally i was thinking that the
user/kasp/whatever would have to provide all names that would need an
NSEC3, or all names that should be ignored during the creation of the
NSEC3 chain. But recently i had another idea.

This may be what the authors of RFC 5155 always had in mind (Roy, is it?
:) ).

What I am thinking of (at least for ldns-signzone, and if so also for
opendnssec), is to automatically ignore any name that only consist of an
NS RRSet when creating the NSEC3 chain. Although i'm not really sure
what to do with empty nonterminals yet. This would make using opt-out
really easy for its intended purpose in delegation-centric zones. It
would however mean that one would lose a little control over verified
insecure delegations.

Any thoughts?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090324/f5b28091/attachment.bin>

More information about the Opendnssec-develop mailing list