[ Quoting Matthijs Mekking at 08:48 on September 13 in "Re: [Opendnssec-user] opendnssec: N"... ] > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Funny. The TTL for NSEC3PARAM was 0 in very early version of > OpenDNSSEC. However, it does not matter what the TTL is: according to > RFC 5155 the record is not used by validators or resolvers. > > The standard also does not dictate any values for the NSEC3PARAM TTL, > so we decided to follow the normal TTL rules.
But it would be nice to follow BIND's lead, because a) one can use the RRSIG(NSEC3PARAM) from BIND in a zone created by opendnssec and vice versa (this may come in handy in an extreme failure case) b) the outside world can not see your signer setup, by looking the TTL of the NSEC3PARAM As the change is minimal, I would say: just apply Paul's patch. grtz Miek
signature.asc
Description: Digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
