Please sign in to comment.
NSEC3 optout and Bogus insecure forward fixes
After the change to zonecuts to find key material, the NSEC3 checking returned an (incorrect) 'covering nxdomain' for a forwarded subzone with no DS record in its parent. After fixing this, the NSEC3 optout test failed as Bogus (instead of insecure). This was fixed by actually checking the optout flag on a delegation NSEC3 record.
- Loading branch information...
Showing with 10 additions and 5 deletions.