I checked the RFC, but somehow missed it. Thanks. Emil
On Tue, Dec 23, 2014 at 4:41 PM, Roy Arends <[email protected]> wrote: > This is by design. > > http://tools.ietf.org/html/rfc5155#section-4.1.2 > > Roy > > On 23 Dec 2014, at 14:35, Emil Natan <[email protected]> wrote: > > I see there are at least 3 TLDs which I know are using ODS and where > the NSEC3PARAM indicates OPT-OUT disabled, but the NSEC3 records have > OPT-OUT flag enabled. When using BIND to sign a zone, both NSEC3PARAM and > NSEC3 have the flags set the same way. Is it me missing something or is it > that by design? > Thanks. > > On Tue, Dec 23, 2014 at 4:11 PM, Emil Natan <[email protected]> wrote: > >> Hello, >> >> This one is easy to reproduce. >> ods-ksmutil -V >> opendnssec version 1.4.6 >> >> From kasp.xml: >> <Denial> >> <NSEC3> >> <OptOut/> >> <Resalt>P100D</Resalt> >> <Hash> >> <Algorithm>1</Algorithm> >> <Iterations>10</Iterations> >> <Salt length="8"/> >> </Hash> >> </NSEC3> >> </Denial> >> >> When the zonefile is signed, the NSEC3PARAM flag indicates OPT-OUT >> disabled (when it's enabled in the configuration). >> >> test.org. 0 IN NSEC3PARAM 1 0 10 e5d234b3dc0e03a3 >> >> The NSEC3 records though have it right. >> >> pufepsta7kv6r1uo2t3nchdkqpdhaqak.test.org. 86400 IN NSEC3 >> 1 1 10 e5d234b3dc0e03a3 8a2j6ietl8fhltcfp1l25mf7qfu6dt69 A NS SOA MX RRSIG >> DNSKEY NSEC3PARAM >> >> Can someone else confirm that behavior? >> >> Happy holidays, >> Emil >> > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
