-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FYI
I have applied Paul's suggestion to the trunk (for 1.4.0rc1) and branches/OpenDNSSEC (for 1.3.11) https://issues.opendnssec.org/browse/OPENDNSSEC-330 Best regards, Matthijs On 09/13/2012 09:36 AM, Miek Gieben wrote: > [ Quoting Matthijs Mekking at 08:48 on September 13 in "Re: > [Opendnssec-user] opendnssec: N"... ] >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> Hi, >> >> Funny. The TTL for NSEC3PARAM was 0 in very early version of >> OpenDNSSEC. However, it does not matter what the TTL is: >> according to RFC 5155 the record is not used by validators or >> resolvers. >> >> The standard also does not dictate any values for the NSEC3PARAM >> TTL, so we decided to follow the normal TTL rules. > > But it would be nice to follow BIND's lead, because > > a) one can use the RRSIG(NSEC3PARAM) from BIND in a zone created by > opendnssec and vice versa (this may come in handy in an extreme > failure case) b) the outside world can not see your signer setup, > by looking the TTL of the NSEC3PARAM > > As the change is minimal, I would say: just apply Paul's patch. > > grtz Miek > > > > _______________________________________________ Opendnssec-user > mailing list [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQUdYYAAoJEA8yVCPsQCW5xgEIAJw29CkQWLtCASD1uz3KBelK zC7HokDLCoQj89J+UJ69axZ0FYzR0Ew8vsTrgHizqYuJIyjHSwomD8ljY2wNq4YM 4hPEaHykm09nNFLkTQ0Fqx6YwSnuNkw6Ta+dIh4HCMsA8mGLEAgwVBJYxEfHiLEm 9yP4IGqqvMghcmeeXfqKI0dZB+LbUaTI9MjicWnoRfF+hcHLV3vbJjJ6UJNntjDm 17YKPFcgP53T7B/BzJg6/jCI3Rxz3WI2TV9GGnq2bCAWtlznk8ZY4HjGJ34GsAdS 6jRXuYaQCPqwiZ2VLdoBaBioPPvBdfCQ62lgfCihkcLj6AYA6tPVqwFq2d3kEyI= =cJfP -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
