[Opendnssec-user] nsec3 records for insecure empty non-terminal

Emil Natan shlyoko at gmail.com
Tue Aug 30 16:25:52 UTC 2016

On Tue, Aug 30, 2016 at 6:32 PM, Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:

> Hi Emil,
> > Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
> >       the empty non-terminal is only derived from an insecure delegation
> >       covered by an Opt-Out NSEC3 RR.
> >
> > If I understand the above correctly, NSEC3 records should not be created
> > for insecure delegations.
> > validns also recognize this as an error:
> >  validns ../signed/example.com.zone.signed
> > ../signed/example.com.zone.signed:22: NSEC3 without a corresponding
> > record (or empty non-terminal)
> >
> > Any help will be highly appreciated.
> Ah, opt-out with empty non terminals. Tricky business. From that quote
> (and some light reading) I can not derive the signer output is wrong.
> Basically that requirement explicitly does not apply here.
> I'm unsure why validns does not detect the empty non-terminal. But I
> admit further reading might be necessary to give a definitive answer.
> //Yuri
Actually validns error message suppose presence of empty non-terminals.
In addition (I decided not to mention it in my initial email) BIND also do
not sign these. It does not mean the ODS signer is doing the wrong thing, I
only mention it as a reference to other interpretations on the RFC
definition. Unfortunately the different interpretations break few of my
tests on the signed zones which is not ideal. I presume in practice nothing
will be broken in either way.

> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160830/58b41974/attachment.htm>

More information about the Opendnssec-user mailing list