jelte at NLnetLabs.nl
Tue Mar 24 10:56:41 UTC 2009
roy at nominet.org.uk wrote:
> Jelte Jansen wrote on 03/24/2009 11:14:31 AM:
> Jelte, that is _exactly_ what we had in mind. This is how my little perl
> signer worked, that generated the examples in the RFC:
> 1) make a list of all names in the zone: $names
> 2) make a list of all delegations in the zone: $dels
> 3) (OO) add empty non-terminal names in $dels to $names
> 4) create a list of NSEC3s as follows:
> - for each name in $names,
> exit if glue (i.e. subname of any name in $dels)
> (OO) exit if name exists in $dels that does not have DS record.
> create NSEC3 record, add to $nsec3s
> 5) sort $nsec3s, chain'em
> This is not the most elegant way, and was solely a proof of concept (and
> subsequently passed all the workshops). Note that only the lines marked
> with (OO) are special to Opt-Out=1.
just to be sure; from this i gather that all empty nonterminals need an
NSEC3, even if it is only 'nonterminalling' to an unsigned delegation?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 260 bytes
Desc: OpenPGP digital signature
More information about the Opendnssec-develop