DNSSEC auto-dnssec issue bind-9.7.2-P3
Kalman Feher
kalman.feher at melbourneit.com.au
Tue Jan 25 16:07:25 UTC 2011
On 25/01/11 4:10 PM, "Alan Clegg" <aclegg at isc.org> wrote:
> On 1/25/2011 9:51 AM, Kalman Feher wrote:
>
>> If the nsec3param has been removed, the automated signing will be weird if
>> you are using nsec3 keys. I havent tested this scenario, since it isnt
>> really a working scenario.
>
> There is no such thing as an "nsec3 key".
Sorry, I was a little sloppy with my vernacular.
I meant the algorithm used to create the keys in question. ie using -3 in
dnssec-keygen.
>
> If you auto-sign a zone that does not contain an NSEC3PARAM record, the
> zone will be signed using NSEC.
That was the observed behaviour of the OP, which wasn't their preference.
Hence the need to add and retain said nsec3param in this instance.
>
> [note that I'm leaving the rest of that mail to be responded to by
> someone with more intimate knowledge of the auto-signing mechanism]
>
> AlanC
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Kal Feher
More information about the bind-users
mailing list