[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?

Jerry Lundström jerry at opendnssec.org
Thu Sep 19 06:59:29 UTC 2013


On 19 sep 2013, at 07:21, Matthijs Mekking <matthijs at nlnetlabs.nl> wrote:

> On 09/18/2013 05:50 PM, Olaf Kolkman wrote:
>> From the point of view from the resolver this is a pretty atomic
>> operation and I do not immediately (in the few minutes I thought about
>> this) see a problem.
> Short answer: Correct.
> Long answer: Correct. There must be at least one complete NSEC/NSEC3
> chain in the published zone, then it poses no validation issues at the
> resolver. The resolver only needs to get consistent NSEC3 records in the
> response. There are no timing issues like with DNSKEYs.

Ah, good. Thanks for the answers!


More information about the Opendnssec-develop mailing list