[Opendnssec-develop] Fwd: Re: [Opendnssec-user] opendnssec: NSEC3PARAM TTL
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Sep 13 07:39:52 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What does the team think? I have not a strong opinion about it, but
think Miek has a point.
Matthijs
"In the end it all comes down to the question: What does Bind do?"
- -------- Original Message --------
Subject: Re: [Opendnssec-user] opendnssec: NSEC3PARAM TTL
Date: Thu, 13 Sep 2012 09:36:37 +0200
From: Miek Gieben <miek.gieben at sidn.nl>
To: <opendnssec-user at lists.opendnssec.org>
[ Quoting Matthijs Mekking at 08:48 on September 13 in "Re:
[Opendnssec-user] opendnssec: N"... ]
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> Hi,
>
> Funny. The TTL for NSEC3PARAM was 0 in very early version of
> OpenDNSSEC. However, it does not matter what the TTL is: according
> to RFC 5155 the record is not used by validators or resolvers.
>
> The standard also does not dictate any values for the NSEC3PARAM
> TTL, so we decided to follow the normal TTL rules.
But it would be nice to follow BIND's lead, because
a) one can use the RRSIG(NSEC3PARAM) from BIND in a zone created
by opendnssec and vice versa (this may come in handy in an extreme
failure case)
b) the outside world can not see your signer setup, by looking the
TTL of the NSEC3PARAM
As the change is minimal, I would say: just apply Paul's patch.
grtz Miek
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJQUY3HAAoJEA8yVCPsQCW5P4QH/RUw5JtdWmlMA5tApy2Jw2X4
0euyyyGmFHtSDM4+xpkxEeC0nQfJYIYBBThkEvNG+2fEG+zg+dOHTbjCcf+86F1O
lJTrfEKrC4qC211iweeLIt/SaR5fXeROMCjiOtVuIguMbr1biJMRi67UUQgbbSaY
TYGUp03cDfpAg0S58dx3Y9HeNyiQr718bScPsWIS3qwWt+bxK/D6FYENpUmgoAXU
Fn/wiRY+3tLbIivbGffK9oPnkDeyI/oW3kq/BIAccvPXLSDiKwO8g52mcd8PZuTP
F7CwCR+ipAovrs6jQAly6DxrfuDfZ7Eaq8tmqBjYmbKJm0Y997LIeBykSyUN3Rc=
=+OeZ
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Attached Message Part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20120913/bb42e113/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Attached Message Part.sig
Type: application/octet-stream
Size: 287 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20120913/bb42e113/attachment.obj>
More information about the Opendnssec-develop
mailing list