Hi,
Opt-Out NSEC3 don't proof existence or non-existence of _unsigned_
domain name (RFC5155 12.2); So you don't need to set 'domian-insecure'
to dummy names below NSEC3 Opt-Out zone.
# .io and .com are signed with NSEC3 Opt-Out.
forward-zone:
name: "nonexistentname.io"
forward-addr: 192.0.2.1
forward-zone:
name: "nonexistentname.com"
forward-addr: 192.0.2.1
You need to set 'domian-insecure' to dummy names below
non-OptOut-NSEC3 or NSEC-signed zone:
# biz and root zone are signed with NSEC.
domain-insecure: "nonexistentname.biz"
domain-insecure: "nonexistenttld"
forward-zone:
name: "nonexistentname.biz"
forward-addr: 192.0.2.1
forward-zone:
name: "nonexistenttld"
forward-addr: 192.0.2.1
2016-05-09 0:19 GMT+09:00 Stephane Bortzmeyer <[email protected]>:
> On Sun, May 08, 2016 at 11:35:46PM +0900,
> Daisuke HIGASHI <[email protected]> wrote
> a message of 20 lines which said:
>
>> Isn't that TLD signed with NSEC3 Opt-Out ?
>
> It's .io and, yes, it uses Opt-Out:
>
> 0dcnrnddcil4ucmvpbaekvtkjh1hud3v.io. 3600 IN NSEC3 1 1 5 E35770A11A (
>
> 0EC3N02EKQT2RUTJOS87A6A86AIILG4C
>
> NS
>
> DS
>
> RRSIG
>
> )
>
