[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?
jerry at opendnssec.org
Thu Sep 19 08:59:29 CEST 2013
On 19 sep 2013, at 07:21, Matthijs Mekking <matthijs at nlnetlabs.nl> wrote:
> On 09/18/2013 05:50 PM, Olaf Kolkman wrote:
>> From the point of view from the resolver this is a pretty atomic
>> operation and I do not immediately (in the few minutes I thought about
>> this) see a problem.
> Short answer: Correct.
> Long answer: Correct. There must be at least one complete NSEC/NSEC3
> chain in the published zone, then it poses no validation issues at the
> resolver. The resolver only needs to get consistent NSEC3 records in the
> response. There are no timing issues like with DNSKEYs.
Ah, good. Thanks for the answers!
More information about the Opendnssec-develop