[Opendnssec-user] 1.0.0rc1 nsec3 signing bug, or some sort of newbie mistake

Johan Ihren johani at autonomica.se
Tue Dec 8 10:59:36 UTC 2009


On 8 Dec 2009, at 09:57, Alexd at nominet.org.uk wrote:

> > The zone is signed by the signer, but a bunch of strange records are
> > added 
> These are the NSEC3 records. If you do not need to prevent zone walking, and your zone is not so large that opt-out is a requirement, then you are just as well served by NSEC (which does not require the "strange records" in the signed zone). 

OPT-OUT is not so much about the size of the zone as about the zone mostly containing non-authoritative data rather than authoritative stuff.



More information about the Opendnssec-user mailing list