[Opendnssec-develop] opt-out
roy at nominet.org.uk
roy at nominet.org.uk
Tue Mar 24 11:12:36 UTC 2009
Jelte Jansen <jelte at NLnetLabs.nl> wrote on 03/24/2009 11:56:41 AM:
> roy at nominet.org.uk wrote:
> > Jelte Jansen wrote on 03/24/2009 11:14:31 AM:
> >
> > Jelte, that is _exactly_ what we had in mind. This is how my little
perl
> > signer worked, that generated the examples in the RFC:
> >
> > 1) make a list of all names in the zone: $names
> > 2) make a list of all delegations in the zone: $dels
> > 3) (OO) add empty non-terminal names in $dels to $names
> > 4) create a list of NSEC3s as follows:
> > - for each name in $names,
> > exit if glue (i.e. subname of any name in $dels)
> > (OO) exit if name exists in $dels that does not have DS record.
> > create NSEC3 record, add to $nsec3s
> > 5) sort $nsec3s, chain'em
> >
> > This is not the most elegant way, and was solely a proof of concept
(and
> > subsequently passed all the workshops). Note that only the lines marked
> > with (OO) are special to Opt-Out=1.
> >
>
> just to be sure; from this i gather that all empty nonterminals need an
> NSEC3, even if it is only 'nonterminalling' to an unsigned delegation?
No!
(note to self: do not attempt to write pseudo language based on historic
perl code)
Empty non terminals as a result of unsigned delegations do not have to have
an NSEC3 record. (yes, an explicit non-requirement: we do not require NSEC3
records for empty non-terminals derived from insecure delegations covered
by an Opt-Out span).
rfc5155 7.1 Zone Signing:
...
o Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
the empty non-terminal is only derived from an insecure delegation
covered by an Opt-Out NSEC3 RR.
Hope this helps. Apologies for confusion.
Roy
More information about the Opendnssec-develop
mailing list