## Rules for filling out DNSSEC fields
Two additional fields in the 'records' table are important: 'auth' and 'ordername'.
-These fields are set correctly on a zone transfer, and also by running
+These fields are set correctly on an incoming zone transfer, and also by running
`pdnsutil rectify-zone`.
The 'auth' field should be set to '1' for data for which the zone itself is
In addition, PowerDNS fully supports empty non-terminals. If you have a zone
example.com, and a host a.b.c.example.com in it, rectify-zone (and the AXFR
-code) will insert b.c.example.com and c.example.com in the records table
+client code) will insert b.c.example.com and c.example.com in the records table
with type NULL (SQL NULL, not 'NULL'). Having these entries provides several benefits.
We no longer reply NXDOMAIN for these shorter names (this was an RFC violation
but not one that caused trouble). But more importantly, to do NSEC3 correctly,
retrieved from a master server, this keying material will be used when serving
data from this zone.
-As part of the zone transfer, the equivalent of `pdnsutil rectify-zone` is run
-to make sure that all DNSSEC-related fields are set correctly.
+As part of the zone retrieval, the equivalent of `pdnsutil rectify-zone` is run
+to make sure that all DNSSEC-related fields are set correctly in the backend.
-Signatures and Hashing is similar as described [above](#online-signing)
+## Signed AXFR
+An outgoing zone transfer from a signing master contains all information
+required for the receiving party to rectify the zone without knowing the keys,
+such as signed NSEC3 records for empty non-terminals. The zone is not required
+to be rectified on the master.
+
+Signatures and Hashing is similar as described [above](#online-signing).
## BIND-mode operation
Starting with PowerDNS 3.1, the bindbackend can manage keys in an SQLite3 database
projects / pdns / commitdiff