[nsd-users] NSD RFC compliance questions (DNSSEC related)

Peter Koch pk at denic.de
Fri Oct 21 10:10:36 UTC 2011

On Fri, Oct 21, 2011 at 09:47:37AM +0200, Matthijs Mekking wrote:

> > RFC 4470 Minimally Covering NSEC Records and DNSSEC On-line Signing
> No: NSD does not do signing.

it might be helpful to the initial poster to know that, even though
RFC 4470 (with amendments in RFC 4471) is on IETF Standards Track,
it is to be considered an optional part of the DNSSEC protocol suite.
This was to address the zone enumeration problem back in the day when
NSEC3 (now in RFC 5155) was not yet fully specified, let alone implemented.
Both methods address the same problem from different angles and
have their pros and cons. With NSEC3 in use with various TLDs,
tools and validators today can be expected to understand this
extension (and NSD implements RFC 5155 on the authoritative server

If the list of RFCs originated from a 3rd party checklist, I'd be
interested in learning about the background.


More information about the nsd-users mailing list