Maintained by: NLnet Labs

"domain-insecure" no longer necessary?

Daisuke HIGASHI
Sun May 8 17:53:15 CEST 2016


Hi,

  Opt-Out NSEC3 don't proof existence or non-existence of _unsigned_
domain name (RFC5155 12.2); So you don't need to set 'domian-insecure'
to dummy names below NSEC3 Opt-Out zone.

# .io and .com are signed with NSEC3 Opt-Out.
  forward-zone:
       name: "nonexistentname.io"
       forward-addr: 192.0.2.1
  forward-zone:
       name: "nonexistentname.com"
       forward-addr: 192.0.2.1


   You need to set 'domian-insecure' to dummy names below
non-OptOut-NSEC3 or NSEC-signed zone:

# biz and root zone are signed with NSEC.
  domain-insecure: "nonexistentname.biz"
  domain-insecure: "nonexistenttld"

  forward-zone:
       name: "nonexistentname.biz"
       forward-addr: 192.0.2.1

  forward-zone:
       name: "nonexistenttld"
       forward-addr: 192.0.2.1



2016-05-09 0:19 GMT+09:00 Stephane Bortzmeyer <bortzmeyer at nic.fr>:
> On Sun, May 08, 2016 at 11:35:46PM +0900,
>  Daisuke HIGASHI <daisuke.higashi at gmail.com> wrote
>  a message of 20 lines which said:
>
>> Isn't that TLD signed with NSEC3 Opt-Out ?
>
> It's .io and, yes, it uses Opt-Out:
>
> 0dcnrnddcil4ucmvpbaekvtkjh1hud3v.io. 3600 IN NSEC3 1 1 5 E35770A11A (
>                                                    0EC3N02EKQT2RUTJOS87A6A86AIILG4C
>                                                                                 NS
>                                                                                 DS
>                                                                                 RRSIG
>                                                                                 )
>