In message <[email protected]>, Wolfgang Nagele writes: > Hi, > > > NSEC3PARAM records should be generated by the signing software and > > not just be added to the zone. > Who says that? :) I think that is a matter of implementation and preference= > . > > > Their presence/absence changes how > > the zone is served. In particular how negative and wildcard responses > > are generated. > And how is that different from sending them in from a trusted source (your = > unsigned version, hopefully using TSIG) VS sending them in via another trus= > ted source (rndc)?
NSEC3PARM is not supposed to be present in a unsigned zone. rndc doesn't add them to the zone. It tells the signing component to generate a NSEC3 chain and when that is complete to add the NSEC3PARAM record. > Cheers, > Wolfgang= -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
