[Opendnssec-develop] opt-out

Jelte Jansen jelte at NLnetLabs.nl
Tue Mar 24 10:56:41 UTC 2009

roy at nominet.org.uk wrote:
> Jelte Jansen wrote on 03/24/2009 11:14:31 AM:
> Jelte, that is _exactly_ what we had in mind. This is how my little perl
> signer worked, that generated the examples in the RFC:
> 1) make a list of all names in the zone: $names
> 2) make a list of all delegations in the zone: $dels
> 3) (OO) add empty non-terminal names in $dels to $names
> 4) create a list of NSEC3s as follows:
>       - for each name in $names,
>             exit if glue (i.e. subname of any name in $dels)
>       (OO)  exit if name exists in $dels that does not have DS record.
>             create NSEC3 record, add to $nsec3s
> 5) sort $nsec3s, chain'em
> This is not the most elegant way, and was solely a proof of concept (and
> subsequently passed all the workshops). Note that only the lines marked
> with (OO) are special to Opt-Out=1.

just to be sure; from this i gather that all empty nonterminals need an
NSEC3, even if it is only 'nonterminalling' to an unsigned delegation?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090324/cd99968d/attachment.bin>

More information about the Opendnssec-develop mailing list