[DNSOP] Any suggestion on what I'm doing that is stupid here on NSEC3?

I'm trying to do my own implementation of NSEC3 as part of my dynamic DNSSEC server (in order to do NSEC3 lies for NXDOMAIN, since you can't do such a lie with NSEC, NSEC lies only allow 0 answer noerror which is unfortunately NOT the same) But I appear to be doing something stupid, and am not

Re: [DNSOP] Any suggestion on what I'm doing that is stupid here on NSEC3?

It might be because NSEC3 uses base32 with extended hex alphabet. Looks like you're using plain base32. See http://tools.ietf.org/html/rfc4648#section-7 --Shumon. On Wed, Feb 12, 2014 at 07:35:47AM -0800, Nicholas Weaver wrote: I'm trying to do my own implementation of NSEC3 as part of my

Re: [DNSOP] Any suggestion on what I'm doing that is stupid here on NSEC3?

Hi Nicholas On Wed, Feb 12, 2014 at 07:35:47AM -0800, Nicholas Weaver wrote: Looking at com, the NSEC3 for com is: CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - ... (Algorithm 1 - SHA-1, flag = 1, iterations = 0, salt = None, fetched by dig +dnssec MX com

Re: [DNSOP] Any suggestion on what I'm doing that is stupid here on NSEC3?

Thanks. Indeed I was stupid: wrong base32 encoding -- Nicholas Weaver it is a tale, told by an idiot, nwea...@icsi.berkeley.edufull of sound and fury, 510-666-2903 .signifying nothing PGP: