I see there are at least 3 TLDs which I know are using ODS and where the NSEC3PARAM indicates OPT-OUT disabled, but the NSEC3 records have OPT-OUT flag enabled. When using BIND to sign a zone, both NSEC3PARAM and NSEC3 have the flags set the same way. Is it me missing something or is it that by design? Thanks.
On Tue, Dec 23, 2014 at 4:11 PM, Emil Natan <[email protected]> wrote: > Hello, > > This one is easy to reproduce. > ods-ksmutil -V > opendnssec version 1.4.6 > > From kasp.xml: > <Denial> > <NSEC3> > <OptOut/> > <Resalt>P100D</Resalt> > <Hash> > <Algorithm>1</Algorithm> > <Iterations>10</Iterations> > <Salt length="8"/> > </Hash> > </NSEC3> > </Denial> > > When the zonefile is signed, the NSEC3PARAM flag indicates OPT-OUT > disabled (when it's enabled in the configuration). > > test.org. 0 IN NSEC3PARAM 1 0 10 e5d234b3dc0e03a3 > > The NSEC3 records though have it right. > > pufepsta7kv6r1uo2t3nchdkqpdhaqak.test.org. 86400 IN NSEC3 1 > 1 10 e5d234b3dc0e03a3 8a2j6ietl8fhltcfp1l25mf7qfu6dt69 A NS SOA MX RRSIG > DNSKEY NSEC3PARAM > > Can someone else confirm that behavior? > > Happy holidays, > Emil >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
