[Opendnssec-user] nsec3 records for insecure empty non-terminal
Yuri Schaeffer
yuri at nlnetlabs.nl
Tue Aug 30 15:32:14 UTC 2016
Hi Emil,
> Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
> the empty non-terminal is only derived from an insecure delegation
> covered by an Opt-Out NSEC3 RR.
>
> If I understand the above correctly, NSEC3 records should not be created
> for insecure delegations.
> validns also recognize this as an error:
> validns ../signed/example.com.zone.signed
> ../signed/example.com.zone.signed:22: NSEC3 without a corresponding
> record (or empty non-terminal)
>
> Any help will be highly appreciated.
Ah, opt-out with empty non terminals. Tricky business. From that quote
(and some light reading) I can not derive the signer output is wrong.
Basically that requirement explicitly does not apply here.
I'm unsure why validns does not detect the empty non-terminal. But I
admit further reading might be necessary to give a definitive answer.
//Yuri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160830/db2a4b09/attachment.bin>
More information about the Opendnssec-user
mailing list