Hi!
I use Bind 9.9.5 for inline signing. The zone is configured to use NSEC3
without opt-out:
example.com 0 IN NSEC3PARAM 1 0 10 BEEF
Nevertheless, most of the resulting NSEC3 records have the opt-out bit
set and insecure delegations are indeed skipped (no NSEC3
It seems Bind is a bit broken. I just removed NSEC3 and added NSEC3
again with 1 0 10 BEEF, and suddenly all NSEC3 records had the opt-out
flag clear.
Then I changed NSEC3 params to 1 1 10 BEEF. Then almost all NSEC3
records had the opt-out flag set, but two NSEC3 records still had the
flag
On Apr 1 2014, Klaus Darilion wrote:
[...]
Nevertheless, it seems there are still two bugs:
1. The NSEC3 chain is not properly cleared when switching from
non-opt-out to opt-out
2. The NSEC3PARAM record always has the opt-out flag clear, even if
opt-out is activated.
That last, at least, is
On 01.04.2014 17:09, Chris Thompson wrote:
On Apr 1 2014, Klaus Darilion wrote:
[...]
Nevertheless, it seems there are still two bugs:
1. The NSEC3 chain is not properly cleared when switching from
non-opt-out to opt-out
2. The NSEC3PARAM record always has the opt-out flag clear, even if
Nevertheless, it seems there are still two bugs:
1. The NSEC3 chain is not properly cleared when switching from
non-opt-out to opt-out
That does seem incorrect (though under the circumstances it may
be harmless). Could you please report it to bind9-b...@isc.org,
including details of how you
5 matches
Mail list logo
