[Opendnssec-user] opendnssec: NSEC3PARAM TTL
Miek Gieben
miek.gieben at sidn.nl
Thu Sep 13 07:36:37 UTC 2012
[ Quoting Matthijs Mekking at 08:48 on September 13 in "Re: [Opendnssec-user] opendnssec: N"... ]
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> Funny. The TTL for NSEC3PARAM was 0 in very early version of
> OpenDNSSEC. However, it does not matter what the TTL is: according to
> RFC 5155 the record is not used by validators or resolvers.
>
> The standard also does not dictate any values for the NSEC3PARAM TTL,
> so we decided to follow the normal TTL rules.
But it would be nice to follow BIND's lead, because
a) one can use the RRSIG(NSEC3PARAM) from BIND in a zone created
by opendnssec and vice versa (this may come in handy in an extreme
failure case)
b) the outside world can not see your signer setup, by looking the
TTL of the NSEC3PARAM
As the change is minimal, I would say: just apply Paul's patch.
grtz Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120913/2fdc5293/attachment.bin>
More information about the Opendnssec-user
mailing list