Draft summary: Previous specifications allowed for situations where aggressive use of NSEC(3) records may deny names far beyond the intended lifetime of a denial. This document changes the definition of the NSEC(3) TTL to correct that situation, this wiki page is an implementation report to demonstrate the draft's viability.
The following versions of commonly used DNS implementations have reported to adhere to draft-ietf-dnsop-nsec-ttl. (Future version numbers are expectations and might change)
|BIND||9.16 (unreleased)||Matthijs Mekking|
|Knot DNS||3.1 (unreleased)||Vladimir Cunat|
|PowerDNS||4.3.0||Peter van Dijk|
|ldns||1.7.2 (under review)||Willem Toorop|
The following table represents every occurrence of the RFC 2119/RFC 8174 normative terms in the draft, and per normative term a statement on the behavior of a given implementation. The table serves both as an implementation checklist but also as an overview to the community to help assess interoperability.
|#||Requirement||BIND MR||Knot MR||PowerDNS 4.3.0|
|1||TTL value for any NSEC RR SHOULD be .. the minimum of ..||yes||yes||yes|
|2||NSEC3 SHOULD have the same TTL value as the minimum of ..||yes||yes||yes|
The below links lead to overviews of the code changes required to support draft-dnsop-nsec-ttl. Readers are encouraged to compare the code bases to each other to facilitate understanding of the changes the draft proposes.
BIND MR (unmerged): https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4506
Knot MR (merged): https://gitlab.nic.cz/knot/knot-dns/-/merge_requests/1219
PowerDNS changelog https://doc.powerdns.com/authoritative/changelog/4.3.html#change-4.3.0-beta2 and merged PR https://github.com/PowerDNS/pdns/pull/8811
ldns (unmerged): https://github.com/NLnetLabs/ldns/pull/118
The content of this page was last updated on 2021-01-26. It was migrated from the old Trac wiki on 2023-01-24.