Hello Paul, On Oct 26, 2012, at 15:17 , Paul Wouters wrote:
> On Fri, 26 Oct 2012, Peter van Dijk wrote: > >> nxd IN CNAME nxdomain.example.com. > >> PowerDNS currently does not generate this NSEC3 but this will be fixed >> shortly. > > You would return an NSEC3 record for a record that actually > exists? That would be a very inconsistent nsec/nsec3 chain. nxdomain.example.com does not exist. > How would offline signers deal with this? Pregenerate nsec records > for data that _is_ in the zone? Offline signers would already have generated the NSEC(3) that denies existence of nxdomain.example.com, simply by virtue of the name not existing in the zone. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
