[Opendnssec-user] Re: NSEC3PARAM and OPTOUT

Roy Arends roy at nominet.org.uk
Tue Dec 23 14:41:11 UTC 2014

This is by design.



On 23 Dec 2014, at 14:35, Emil Natan <shlyoko at gmail.com<mailto:shlyoko at gmail.com>> wrote:

I see there are at least 3 TLDs which I know are using ODS and where the NSEC3PARAM indicates OPT-OUT disabled, but the NSEC3 records have OPT-OUT flag enabled. When using BIND to sign a zone, both NSEC3PARAM and NSEC3 have the flags set the same way. Is it me missing something or is it that by design?

On Tue, Dec 23, 2014 at 4:11 PM, Emil Natan <shlyoko at gmail.com<mailto:shlyoko at gmail.com>> wrote:

This one is easy to reproduce.
ods-ksmutil -V
opendnssec version 1.4.6

>From kasp.xml:
                                        <Salt length="8"/>

When the zonefile is signed, the NSEC3PARAM flag indicates OPT-OUT disabled (when it's enabled in the configuration).

test.org<http://test.org>.       0       IN      NSEC3PARAM      1 0 10 e5d234b3dc0e03a3

The NSEC3 records though have it right.

pufepsta7kv6r1uo2t3nchdkqpdhaqak.test.org<http://pufepsta7kv6r1uo2t3nchdkqpdhaqak.test.org>.      86400   IN      NSEC3   1 1 10 e5d234b3dc0e03a3  8a2j6ietl8fhltcfp1l25mf7qfu6dt69 A NS SOA MX RRSIG DNSKEY NSEC3PARAM

Can someone else confirm that behavior?

Happy holidays,

Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org<mailto:Opendnssec-user at lists.opendnssec.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20141223/6af197ec/attachment.htm>

More information about the Opendnssec-user mailing list