"domain-insecure" no longer necessary?
Daisuke HIGASHI
daisuke.higashi at gmail.com
Sun May 8 15:53:15 UTC 2016
Hi,
Opt-Out NSEC3 don't proof existence or non-existence of _unsigned_
domain name (RFC5155 12.2); So you don't need to set 'domian-insecure'
to dummy names below NSEC3 Opt-Out zone.
# .io and .com are signed with NSEC3 Opt-Out.
forward-zone:
name: "nonexistentname.io"
forward-addr: 192.0.2.1
forward-zone:
name: "nonexistentname.com"
forward-addr: 192.0.2.1
You need to set 'domian-insecure' to dummy names below
non-OptOut-NSEC3 or NSEC-signed zone:
# biz and root zone are signed with NSEC.
domain-insecure: "nonexistentname.biz"
domain-insecure: "nonexistenttld"
forward-zone:
name: "nonexistentname.biz"
forward-addr: 192.0.2.1
forward-zone:
name: "nonexistenttld"
forward-addr: 192.0.2.1
2016-05-09 0:19 GMT+09:00 Stephane Bortzmeyer <bortzmeyer at nic.fr>:
> On Sun, May 08, 2016 at 11:35:46PM +0900,
> Daisuke HIGASHI <daisuke.higashi at gmail.com> wrote
> a message of 20 lines which said:
>
>> Isn't that TLD signed with NSEC3 Opt-Out ?
>
> It's .io and, yes, it uses Opt-Out:
>
> 0dcnrnddcil4ucmvpbaekvtkjh1hud3v.io. 3600 IN NSEC3 1 1 5 E35770A11A (
> 0EC3N02EKQT2RUTJOS87A6A86AIILG4C
> NS
> DS
> RRSIG
> )
>
More information about the Unbound-users
mailing list