[Opendnssec-user] opendnssec: NSEC3PARAM TTL
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Sep 13 12:48:24 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FYI
I have applied Paul's suggestion to the trunk (for 1.4.0rc1) and
branches/OpenDNSSEC (for 1.3.11)
https://issues.opendnssec.org/browse/OPENDNSSEC-330
Best regards,
Matthijs
On 09/13/2012 09:36 AM, Miek Gieben wrote:
> [ Quoting Matthijs Mekking at 08:48 on September 13 in "Re:
> [Opendnssec-user] opendnssec: N"... ]
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> Hi,
>>
>> Funny. The TTL for NSEC3PARAM was 0 in very early version of
>> OpenDNSSEC. However, it does not matter what the TTL is:
>> according to RFC 5155 the record is not used by validators or
>> resolvers.
>>
>> The standard also does not dictate any values for the NSEC3PARAM
>> TTL, so we decided to follow the normal TTL rules.
>
> But it would be nice to follow BIND's lead, because
>
> a) one can use the RRSIG(NSEC3PARAM) from BIND in a zone created by
> opendnssec and vice versa (this may come in handy in an extreme
> failure case) b) the outside world can not see your signer setup,
> by looking the TTL of the NSEC3PARAM
>
> As the change is minimal, I would say: just apply Paul's patch.
>
> grtz Miek
>
>
>
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJQUdYYAAoJEA8yVCPsQCW5xgEIAJw29CkQWLtCASD1uz3KBelK
zC7HokDLCoQj89J+UJ69axZ0FYzR0Ew8vsTrgHizqYuJIyjHSwomD8ljY2wNq4YM
4hPEaHykm09nNFLkTQ0Fqx6YwSnuNkw6Ta+dIh4HCMsA8mGLEAgwVBJYxEfHiLEm
9yP4IGqqvMghcmeeXfqKI0dZB+LbUaTI9MjicWnoRfF+hcHLV3vbJjJ6UJNntjDm
17YKPFcgP53T7B/BzJg6/jCI3Rxz3WI2TV9GGnq2bCAWtlznk8ZY4HjGJ34GsAdS
6jRXuYaQCPqwiZ2VLdoBaBioPPvBdfCQ62lgfCihkcLj6AYA6tPVqwFq2d3kEyI=
=cJfP
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list