[ldns-users] [validns-users] just started with validns - few problems

Jelte Jansen jelte.jansen at sidn.nl
Wed Feb 26 10:51:43 UTC 2014

On 02/25/2014 05:46 PM, Paul Wouters wrote:
> I guess one could argue about whether NSEC3PARAM should be signed or
> not. IMHO, it should not even be in the zone at all, its a bind/isc hack
> that made it into an RFC :P Perhaps ldns-verify-zone should not give
> an error for that? Although I wonder which signers actually skip signing
> the NSEC3PARAM record. That a bind signer thing as isc.org's nsec3param
> also seems to miss the RRSIG record for NSEC3PARAM.

While you could argue the rationale of the NSEC3PARAM record versus
other ways to signal to auths which nsec3 chain to use, calling it a
bind hack that got copied into an rfc is misrepresenting history, IIRC
this came out of a WG workshop where other implementors (hi!) were just
as present as those from ISC :p

As it is right now, you certainly can't just leave it out of the zone. I
don't personally see why you would then special case it further and skip
it during signing (it is indeed not necessary in the validation
process), but hey. Bind's signers certainly do sign it.


More information about the ldns-users mailing list