In message <dafe4c5a-daa9-4d54-8963-a56d9cd9f...@ausregistry.com.au>, Wolfgang Nagele writes: > Hi, > > Ok that is already a bit better - at least saves a full sign with NSEC first. > Wondering though, from a user perspective sending in NSEC3PARAM from the uns > igned end seems like the most natural thing to do. Why complicate matters by > having to use rndc here?
Because NSEC3PARAM is in-band signaling. With NSEC you have the apex's NSEC record presence/absence as a signal. With NSEC3 you have multiple NSEC3 chains and you need to know the NSEC3 parameters to find the NSEC3 record for the apex. One could do that by tracking all the NSEC3 records on a per parameter set basis then looking for the presence/absence of the NSEC3 record for the apex or use a seperate type NSEC3PARAM. With both NSEC and NSEC3 you can have partial chains, to support incremental signing, and you don't want to use them until they are complete. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users