> > To answer the question, those values are the NSEC3PARAM data for the > > zone, as defined in RFC 5155. [...] flags of 1 means opt-out and 0 > > means no opt-out; > > It is not exactly what the RFC says: > > The Opt-Out flag is not used and is set to zero.
True. I oversimplified a bit. When you send an NSEC3PARAM record via DDNS, it may be modified before it actually appears in the zone. The record you send is a signal to named that you want to change from NSEC to NSEC3, or change from one NSEC3 chain to another one with different parameters. The opt-out flag in the record you send is part of that signal; it indicates whether the new chain should use opt-out or not. On receiving such a record, named carries out the NSEC3 transition. The last step in that transition is placing an NSEC3PARAM record at the zone apex. *That* record always has opt-out set to zero, per the RFC. -- Evan Hunt -- [email protected] Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
