Hello Klaus, On Mar 28, 2013, at 12:03 , Klaus Darilion wrote:
> Meanwhile I found the important statement in the docu: "In NSEC3 opt-out mode > (the only NSEC3 mode PowerDNS currently supports) ....". > > Are there any plans to support NSEC3 without opt-out? Yes - Kees Monshouwer has in fact written a great patch for it already. We will merge it as time permits. You can find it at https://github.com/Habbie/powerdns/pull/71 > Further, I wonder why and how Powerdns synthesis the NSEC3 records on the > fly? In our setup PDNS is a secondary, the signing happens on the master. > Thus, PDNS receives the zone with AXFR, including the NSEC3 records and the > corresponding RRSIG records. Then, PDNS ignores all the NSEC3 records and > synthesis them newly. Therefore there is great chance that the original > signature does not work anymore, and that's also the reason why a zone > without opt-out gets broken by PDNS. Apart from opt out vs. no opt out, we have had zero reports of our synthesis breaking original signatures. I'll admit that it does not feel robust, but all modern signers appear to agree on what the canonical NSEC3 chain for a zone is. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
