Strange issue with signed zone
Mark Elkins
mje at posix.co.za
Thu Oct 27 16:05:01 UTC 2011
On Wed, 2011-10-26 at 13:59 +0400, Peter Andreev wrote:
> Hello!
>
> We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we have
> signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
> Recently we realised that our servers don't generate NSEC3 for signed zone.
> Problem has gone after we restarted BIND instances.
Not sure about your problem - but if you are only just now starting to
generate Keys for DNSSEC, consider using RSASHA265 rather than RSASHA1.
Key protocol rollovers need much love and care (and bit me in the ass)
- rather avoid the situation by not using the older protocol for Key
Generation. I believe the 'root' was signed with RSASHA265 so support
for it should be wide-spread.
> Is described behaviour normal for BIND or not?
Believe that there was some sort of bug that required a named restart.
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111027/20b29fd6/attachment.bin>
More information about the bind-users
mailing list