[Pdns-users] Slave Zones and Presigned Zones

Christof Meerwald cmeerw at cmeerw.org
Sat Jun 11 17:00:55 UTC 2011


On Sat, 11 Jun 2011 15:16:14 +0200, Christof Meerwald wrote:
> On Sat, 11 Jun 2011 22:11:57 +1200, Craig Whitmore wrote:
> [...]
>> And testing if everything worked out.. Except it sets the options
>> differently that if I typed "pdnssec set-nsec3 spam.co.nz" I have no idea
>> what the difference is but it still passes the dig tests I do...
> I have to say that I am a bit confused now. The difference is that the
> opt-out flag is set to zero on the slave, but that's what
> http://tools.ietf.org/html/rfc5155#section-4.1.2 says.
>
> So I don't understand how a zone transfer is supposed to work when the
> flag is always set to zero in the NSEC3PARAM record...

Ok, I guess the answer is that the slave is supposed to use the NSEC3
records (because the flag can be different) instead of trying to
regenerate them based on the NSEC3PARAM record.

I have updated my patch (http://wiki.powerdns.com/trac/ticket/369) to
also look at the NSEC3 records for the opt-out flag - this should at
least work with a PowerDNS master, but will not work if the flags do
differ (or if there are multiple NSEC3PARAM records).

BTW, PowerDNS also incorrectly set the flags field in NSEC3 records to
0 in tcpreceiver.cc.


Christof

-- 

http://cmeerw.org                              sip:cmeerw at cmeerw.org
mailto:cmeerw at cmeerw.org                   xmpp:cmeerw at cmeerw.org



More information about the Pdns-users mailing list