[Opendnssec-develop] opt-out
Jelte Jansen
jelte at NLnetLabs.nl
Tue Mar 24 10:56:41 UTC 2009
roy at nominet.org.uk wrote:
> Jelte Jansen wrote on 03/24/2009 11:14:31 AM:
>
> Jelte, that is _exactly_ what we had in mind. This is how my little perl
> signer worked, that generated the examples in the RFC:
>
> 1) make a list of all names in the zone: $names
> 2) make a list of all delegations in the zone: $dels
> 3) (OO) add empty non-terminal names in $dels to $names
> 4) create a list of NSEC3s as follows:
> - for each name in $names,
> exit if glue (i.e. subname of any name in $dels)
> (OO) exit if name exists in $dels that does not have DS record.
> create NSEC3 record, add to $nsec3s
> 5) sort $nsec3s, chain'em
>
> This is not the most elegant way, and was solely a proof of concept (and
> subsequently passed all the workshops). Note that only the lines marked
> with (OO) are special to Opt-Out=1.
>
just to be sure; from this i gather that all empty nonterminals need an
NSEC3, even if it is only 'nonterminalling' to an unsigned delegation?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090324/cd99968d/attachment.bin>
More information about the Opendnssec-develop
mailing list