[Opendnssec-user] opendnssec: NSEC3PARAM TTL

[Matthijs Mekking]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FYI

I have applied Paul's suggestion to the trunk (for 1.4.0rc1) and
branches/OpenDNSSEC (for 1.3.11)

https://issues.opendnssec.org/browse/OPENDNSSEC-330

Best regards,
  Matthijs

On 09/13/2012 09:36 AM, Miek Gieben wrote:
> [ Quoting Matthijs Mekking at 08:48 on September 13 in "Re:
> [Opendnssec-user] opendnssec: N"... ]
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> Hi,
>> 
>> Funny. The TTL for NSEC3PARAM was 0 in very early version of 
>> OpenDNSSEC. However, it does not matter what the TTL is:
>> according to RFC 5155 the record is not used by validators or
>> resolvers.
>> 
>> The standard also does not dictate any values for the NSEC3PARAM
>> TTL, so we decided to follow the normal TTL rules.
> 
> But it would be nice to follow BIND's lead, because
> 
> a) one can use the RRSIG(NSEC3PARAM) from BIND in a zone created by
> opendnssec and vice versa (this may come in handy in an extreme 
> failure case) b) the outside world can not see your signer setup,
> by looking the TTL of the NSEC3PARAM
> 
> As the change is minimal, I would say: just apply Paul's patch.
> 
> grtz Miek
> 
> 
> 
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQUdYYAAoJEA8yVCPsQCW5xgEIAJw29CkQWLtCASD1uz3KBelK
zC7HokDLCoQj89J+UJ69axZ0FYzR0Ew8vsTrgHizqYuJIyjHSwomD8ljY2wNq4YM
4hPEaHykm09nNFLkTQ0Fqx6YwSnuNkw6Ta+dIh4HCMsA8mGLEAgwVBJYxEfHiLEm
9yP4IGqqvMghcmeeXfqKI0dZB+LbUaTI9MjicWnoRfF+hcHLV3vbJjJ6UJNntjDm
17YKPFcgP53T7B/BzJg6/jCI3Rxz3WI2TV9GGnq2bCAWtlznk8ZY4HjGJ34GsAdS
6jRXuYaQCPqwiZ2VLdoBaBioPPvBdfCQ62lgfCihkcLj6AYA6tPVqwFq2d3kEyI=
=cJfP
-----END PGP SIGNATURE-----