[Opendnssec-develop] opt-out

roy at nominet.org.uk roy at nominet.org.uk
Tue Mar 24 11:12:36 UTC 2009

Jelte Jansen <jelte at NLnetLabs.nl> wrote on 03/24/2009 11:56:41 AM:

> roy at nominet.org.uk wrote:
> > Jelte Jansen wrote on 03/24/2009 11:14:31 AM:
> >
> > Jelte, that is _exactly_ what we had in mind. This is how my little
> > signer worked, that generated the examples in the RFC:
> >
> > 1) make a list of all names in the zone: $names
> > 2) make a list of all delegations in the zone: $dels
> > 3) (OO) add empty non-terminal names in $dels to $names
> > 4) create a list of NSEC3s as follows:
> >       - for each name in $names,
> >             exit if glue (i.e. subname of any name in $dels)
> >       (OO)  exit if name exists in $dels that does not have DS record.
> >             create NSEC3 record, add to $nsec3s
> > 5) sort $nsec3s, chain'em
> >
> > This is not the most elegant way, and was solely a proof of concept
> > subsequently passed all the workshops). Note that only the lines marked
> > with (OO) are special to Opt-Out=1.
> >
> just to be sure; from this i gather that all empty nonterminals need an
> NSEC3, even if it is only 'nonterminalling' to an unsigned delegation?


(note to self: do not attempt to write pseudo language based on historic
perl code)

Empty non terminals as a result of unsigned delegations do not have to have
an NSEC3 record. (yes, an explicit non-requirement: we do not require NSEC3
records for empty non-terminals derived from insecure delegations covered
by an Opt-Out span).

rfc5155 7.1 Zone Signing:
   o  Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
      the empty non-terminal is only derived from an insecure delegation
      covered by an Opt-Out NSEC3 RR.

Hope this helps. Apologies for confusion.


More information about the Opendnssec-develop mailing list