if I understand things correctly, powerdns does 'opt-out' NSEC3, but we did not say...

I hope I got it right ;-)

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1939 d19b8d6e-7fed-0310-83ef-9ca221ded41b

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index f2f94508af14c8aedb07eef392702d3855277d93..02b703abf891407b8194ff1fe26c56c3f5f423ca 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -483,7 +483,7 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
   NSEC3RecordContent n3rc;
   n3rc.d_set.insert(QType::RRSIG);
   n3rc.d_salt=ns3prc.d_salt;
-  n3rc.d_flags = 0;
+  n3rc.d_flags = ns3prc.d_flags;
   n3rc.d_iterations = ns3prc.d_iterations;
   n3rc.d_algorithm = 1; // SHA1, fixed in PowerDNS for now
 

diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 92c60ba411a302cadbf70c29e9759d47fe7c7035..959b673e5c96116c988857d6e9fe4ef82375bc6c 100644 (file)
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -442,9 +442,14 @@ try
     showZone(dk, zone);
   }
   else if(cmds[0]=="set-nsec3") {
-    string nsec3params =  cmds.size() > 2 ? cmds[2] : "1 0 1 ab";
+    string nsec3params =  cmds.size() > 2 ? cmds[2] : "1 1 1 ab";
     bool narrow = cmds.size() > 3 && cmds[3]=="narrow";
     NSEC3PARAMRecordContent ns3pr(nsec3params);
+    if(!ns3pr.d_flags) {
+      cerr<<"PowerDNS only implements opt-out zones, please set the second parameter to '1' (example, '1 1 1 ab')"<<endl;
+      return 0;
+    }
+    
     dk.setNSEC3PARAM(cmds[1], ns3pr, narrow);
   }
   else if(cmds[0]=="set-presigned") {