bind 9.7, dnssec and multiple key directories and resalt NSEC3
Casey Deccio
casey at deccio.net
Fri Jun 4 15:01:20 UTC 2010
On Fri, Jun 4, 2010 at 3:11 AM, Tim Verhoeven <tim.verhoeven.be at gmail.com>wrote:
>
> The second question. I've tried doing a resalt using dynamic updates
> but I can't get it to work. Just adding a new NSEC3PARAM RR crashes
> Bind and doing a delete and then a add (to replace the present RR)
> gives me a servfail but I see the updats in the log.
> What is the correct way to do a resalt when using automatic signing ?
>
>
This should work:
rndc freeze
dnssec-signzone ... # using same keys but with new NSEC3 salt
rndc reload
rndc thaw
Although, at least in earlier versions of BIND, if not all RRsets in the
zone are resigned with the resign (i.e., within "interval" specified with
-i), then the NSEC3 chain with the new salt is added to any existing NSEC3
chains. There shouldn't be any ill effects from this, but it does increase
the size of the zone some.
Regards,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100604/5453f389/attachment.html>
More information about the bind-users
mailing list