[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?

Jerry Lundström jerry at opendnssec.org
Thu Sep 19 06:59:29 UTC 2013


Hi,

On 19 sep 2013, at 07:21, Matthijs Mekking <matthijs at nlnetlabs.nl> wrote:

> On 09/18/2013 05:50 PM, Olaf Kolkman wrote:
>>
>> From the point of view from the resolver this is a pretty atomic
>> operation and I do not immediately (in the few minutes I thought about
>> this) see a problem.
>
> Short answer: Correct.
>
> Long answer: Correct. There must be at least one complete NSEC/NSEC3
> chain in the published zone, then it poses no validation issues at the
> resolver. The resolver only needs to get consistent NSEC3 records in the
> response. There are no timing issues like with DNSKEYs.

Ah, good. Thanks for the answers!
>

/Jerry



More information about the Opendnssec-develop mailing list