[Opendnssec-user] 1.0.0rc1 nsec3 signing bug, or some sort of newbie mistake
Johan Ihren
johani at autonomica.se
Tue Dec 8 10:59:36 UTC 2009
Hi,
On 8 Dec 2009, at 09:57, Alexd at nominet.org.uk wrote:
> > The zone is signed by the signer, but a bunch of strange records are
> > added
>
> These are the NSEC3 records. If you do not need to prevent zone walking, and your zone is not so large that opt-out is a requirement, then you are just as well served by NSEC (which does not require the "strange records" in the signed zone).
OPT-OUT is not so much about the size of the zone as about the zone mostly containing non-authoritative data rather than authoritative stuff.
Regards,
Johan
More information about the Opendnssec-user
mailing list