[ldns-users] offtopic - was Re: [validns-users] just started with validns - few problems

Jelte Jansen jelte.jansen at sidn.nl
Wed Feb 26 15:44:02 UTC 2014

On 02/26/2014 04:38 PM, Paul Wouters wrote:
>> As it is right now, you certainly can't just leave it out of the zone.
> Why not? When is it served as authoritative data? When does a validator
> require that record?
> From what I understand, it's a postit note for signers, and signers that
> are also authoritative servers in the same process (like bind :) need
> it?

Nono, the signer is actually the one that wouldn't need it :)

In theory (and in some re-salt rollover scenario's), you can have
multiple nsec3 chains in your zone, some of which may not actually be
complete at all (so you can gradually update to your new chain). The
NSEC3PARAM records signals to the *serving* auths which chain is the
complete-and-active one to pick the NSEC3 records from when building a
response (and barring any NSEC3PARAM record it should probably be
looking for normal NSECs, even if there are some NSEC3 records there).

A validator indeed does not need it.


More information about the ldns-users mailing list