[Opendnssec-user] Re: NSEC3PARAM and OPTOUT

Emil Natan shlyoko at gmail.com
Tue Dec 23 14:34:56 UTC 2014


I see there are at least 3 TLDs which I know are using ODS and where the
NSEC3PARAM indicates OPT-OUT disabled, but the NSEC3 records have OPT-OUT
flag enabled. When using BIND to sign a zone, both NSEC3PARAM and NSEC3
have the flags set the same way. Is it me missing something or is it that
by design?
Thanks.

On Tue, Dec 23, 2014 at 4:11 PM, Emil Natan <shlyoko at gmail.com> wrote:

> Hello,
>
> This one is easy to reproduce.
> ods-ksmutil -V
> opendnssec version 1.4.6
>
> From kasp.xml:
>                 <Denial>
>                         <NSEC3>
>                                 <OptOut/>
>                                 <Resalt>P100D</Resalt>
>                                 <Hash>
>                                         <Algorithm>1</Algorithm>
>                                         <Iterations>10</Iterations>
>                                         <Salt length="8"/>
>                                 </Hash>
>                         </NSEC3>
>                 </Denial>
>
> When the zonefile is signed, the NSEC3PARAM flag indicates OPT-OUT
> disabled (when it's enabled in the configuration).
>
> test.org.       0       IN      NSEC3PARAM      1 0 10 e5d234b3dc0e03a3
>
> The NSEC3 records though have it right.
>
> pufepsta7kv6r1uo2t3nchdkqpdhaqak.test.org.      86400   IN      NSEC3   1
> 1 10 e5d234b3dc0e03a3  8a2j6ietl8fhltcfp1l25mf7qfu6dt69 A NS SOA MX RRSIG
> DNSKEY NSEC3PARAM
>
> Can someone else confirm that behavior?
>
> Happy holidays,
> Emil
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20141223/51d42d07/attachment.htm>


More information about the Opendnssec-user mailing list