In message <20100317172506.gb21...@isc.org>, Evan Hunt writes:
> > BIND <=9.5 doesn't know that it's supposed to pass them in a NXDOMAIN
> > response.
>
> Correct, and whoops. We should have backported at least that much
> knowledge of NSEC3.
Not really. You need a NSEC3 aware path between the
> BIND <=9.5 doesn't know that it's supposed to pass them in a NXDOMAIN
> response.
Correct, and whoops. We should have backported at least that much
knowledge of NSEC3.
> That said, I thought it would be possible to explicitely ask for TYPE50.
> But that seems not to work, either:
IIRC, RFC 51
Stephane Bortzmeyer wrote:
> I cannot get the NSEC3 records through a BIND resolver if it is
> version <= 9.5:
>
> % dig +dnssec jhfgTCFGD564564.org
>
> If BIND >= 9.6, it works (or with Unbound). Yes, NSEC3 support was
> added in 9.6 but, for older BINDs, TYPE50 (NSEC3) shoul
I cannot get the NSEC3 records through a BIND resolver if it is
version <= 9.5:
% dig +dnssec jhfgTCFGD564564.org
; <<>> DiG 9.5.1-P3 <<>> +dnssec @dnssec.generic-nic.net jhfgTCFGD564564.org
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode:
4 matches
Mail list logo