NSEC3/NSEC transition
David Sherman
dsherman at bluecatnetworks.com
Thu Feb 14 20:44:24 UTC 2013
Thank you, Mark
Is it safe to keep -u option for dnssec-signzone in all cases, regardless of current actual NSEC/NSEC3 chains.
Thanks,
David
-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org]
Sent: February-14-13 3:23 PM
To: David Sherman
Cc: bind-users at isc.org
Subject: Re: NSEC3/NSEC transition
In message <CB52CF69EC353F4FBC9BA1581123C72E1C73D14C at TORMBXW01.bluecatnetworks.
corp>, David Sherman writes:
> Hi,
>
> If dynamic signing is used with BIND 9.8, what is the recommended
> procedure t o switch from NSEC3-signed zone to NSEC-signed without
> changing existing DNSK EYs (currently RSA/SHA-512 algorithms are used for both ZSK and KSK)?
> Any specific options for dnssec-signzone?
Throw the signed zone imn a editor. Remove all the NSEC3 records. Remove the NSEC3PARAM records. Sign the zone but DO NOT use -3 or -H. If you don't specify a salt or iterations then a NSEC chain will be built instead of a
NSEC3 chain.
For a dynamic zone just remove all NSEC3PARAM records. named will do the rest.
> Thanks,
> David
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list