bind 9.7, dnssec and multiple key directories and resalt NSEC3
Evan Hunt
each at isc.org
Fri Jun 4 16:10:35 UTC 2010
> The first one, can I configure multiple key directories? The reasoning
> for this is that I would like to seperate the KSK's from the ZSK's.
No, you can't... but that's an interesting idea. Right now it's a single
key directory per zone.
> The second question. I've tried doing a resalt using dynamic updates
> but I can't get it to work. Just adding a new NSEC3PARAM RR crashes
> Bind and doing a delete and then a add (to replace the present RR)
> gives me a servfail but I see the updats in the log.
> What is the correct way to do a resalt when using automatic signing ?
The way it's supposed to work is: you add the new NSEC3PARAM record,
then wait for the new NSEC3 chain to be built. The newly inserted record
will, at first, have its "flags" field set to a nonzero value; this
indicates that the chain isn't complete yet. When the server is finished
building the chain, it updates the newly-added NSEC3PARAM record, and
zeroes the flags field. At that point, it's safe to remove the old
NSEC3PARAM record, which will cause the server to remove the old NSEC3
chain.
If inserting a new NSEC3PARAM RR is crashing named, please file a bug
report.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list