On Sat, 11 Jun 2011 15:16:14 +0200, Christof Meerwald wrote: > On Sat, 11 Jun 2011 22:11:57 +1200, Craig Whitmore wrote: > [...] >> And testing if everything worked out.. Except it sets the options >> differently that if I typed "pdnssec set-nsec3 spam.co.nz" I have no idea >> what the difference is but it still passes the dig tests I do... > I have to say that I am a bit confused now. The difference is that the > opt-out flag is set to zero on the slave, but that's what > http://tools.ietf.org/html/rfc5155#section-4.1.2 says. > > So I don't understand how a zone transfer is supposed to work when the > flag is always set to zero in the NSEC3PARAM record...
Ok, I guess the answer is that the slave is supposed to use the NSEC3 records (because the flag can be different) instead of trying to regenerate them based on the NSEC3PARAM record. I have updated my patch (http://wiki.powerdns.com/trac/ticket/369) to also look at the NSEC3 records for the opt-out flag - this should at least work with a PowerDNS master, but will not work if the flags do differ (or if there are multiple NSEC3PARAM records). BTW, PowerDNS also incorrectly set the flags field in NSEC3 records to 0 in tcpreceiver.cc. Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
