[Opendnssec-user] Re: NSEC3PARAM and OPTOUT
Emil Natan
shlyoko at gmail.com
Tue Dec 23 14:48:59 UTC 2014
I checked the RFC, but somehow missed it. Thanks.
Emil
On Tue, Dec 23, 2014 at 4:41 PM, Roy Arends <roy at nominet.org.uk> wrote:
> This is by design.
>
> http://tools.ietf.org/html/rfc5155#section-4.1.2
>
> Roy
>
> On 23 Dec 2014, at 14:35, Emil Natan <shlyoko at gmail.com> wrote:
>
> I see there are at least 3 TLDs which I know are using ODS and where
> the NSEC3PARAM indicates OPT-OUT disabled, but the NSEC3 records have
> OPT-OUT flag enabled. When using BIND to sign a zone, both NSEC3PARAM and
> NSEC3 have the flags set the same way. Is it me missing something or is it
> that by design?
> Thanks.
>
> On Tue, Dec 23, 2014 at 4:11 PM, Emil Natan <shlyoko at gmail.com> wrote:
>
>> Hello,
>>
>> This one is easy to reproduce.
>> ods-ksmutil -V
>> opendnssec version 1.4.6
>>
>> From kasp.xml:
>> <Denial>
>> <NSEC3>
>> <OptOut/>
>> <Resalt>P100D</Resalt>
>> <Hash>
>> <Algorithm>1</Algorithm>
>> <Iterations>10</Iterations>
>> <Salt length="8"/>
>> </Hash>
>> </NSEC3>
>> </Denial>
>>
>> When the zonefile is signed, the NSEC3PARAM flag indicates OPT-OUT
>> disabled (when it's enabled in the configuration).
>>
>> test.org. 0 IN NSEC3PARAM 1 0 10 e5d234b3dc0e03a3
>>
>> The NSEC3 records though have it right.
>>
>> pufepsta7kv6r1uo2t3nchdkqpdhaqak.test.org. 86400 IN NSEC3
>> 1 1 10 e5d234b3dc0e03a3 8a2j6ietl8fhltcfp1l25mf7qfu6dt69 A NS SOA MX RRSIG
>> DNSKEY NSEC3PARAM
>>
>> Can someone else confirm that behavior?
>>
>> Happy holidays,
>> Emil
>>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20141223/d7448e84/attachment.htm>
More information about the Opendnssec-user
mailing list