[Opendnssec-develop] opt-out

roy at nominet.org.uk roy at nominet.org.uk
Tue Mar 24 10:43:19 UTC 2009

Jelte Jansen wrote on 03/24/2009 11:14:31 AM:

> Hi,
> regarding opt-out, at the moment the signer does set the opt-out bit in
> NSEC3 records if so specified by the xml config file, but it doesn't
> actually opt out anything; it still creates NSEC3 records for each name
> and each nonterminal in the zone. Now originally i was thinking that the
> user/kasp/whatever would have to provide all names that would need an
> NSEC3, or all names that should be ignored during the creation of the
> NSEC3 chain. But recently i had another idea.
> This may be what the authors of RFC 5155 always had in mind (Roy, is it?
> :) ).
> What I am thinking of (at least for ldns-signzone, and if so also for
> opendnssec), is to automatically ignore any name that only consist of an
> NS RRSet when creating the NSEC3 chain. Although i'm not really sure
> what to do with empty nonterminals yet. This would make using opt-out
> really easy for its intended purpose in delegation-centric zones. It
> would however mean that one would lose a little control over verified
> insecure delegations.
> Any thoughts?

Jelte, that is _exactly_ what we had in mind. This is how my little perl
signer worked, that generated the examples in the RFC:

1) make a list of all names in the zone: $names
2) make a list of all delegations in the zone: $dels
3) (OO) add empty non-terminal names in $dels to $names
4) create a list of NSEC3s as follows:
      - for each name in $names,
            exit if glue (i.e. subname of any name in $dels)
      (OO)  exit if name exists in $dels that does not have DS record.
            create NSEC3 record, add to $nsec3s
5) sort $nsec3s, chain'em

This is not the most elegant way, and was solely a proof of concept (and
subsequently passed all the workshops). Note that only the lines marked
with (OO) are special to Opt-Out=1.

Hope this helps.


More information about the Opendnssec-develop mailing list