-
Jan Včelák authored
Key algorithm and used NSEC type must match: RFC 5155 states, that for compatibility with old resolvers, NSEC3 must be used only with NSEC3 algorithms. It makes no sense to sign NSEC with NSEC3 keys, because it will make the validation impossible on NSEC3-unaware resolvers. This is stricter than what dnssec-signzone from ISC does. refs #4
Jan Včelák authoredKey algorithm and used NSEC type must match: RFC 5155 states, that for compatibility with old resolvers, NSEC3 must be used only with NSEC3 algorithms. It makes no sense to sign NSEC with NSEC3 keys, because it will make the validation impossible on NSEC3-unaware resolvers. This is stricter than what dnssec-signzone from ISC does. refs #4
Loading