changing NSEC3 salt
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Feb 6 14:25:43 UTC 2014
On 06.02.2014 11:56, Cathy Almond wrote:
> On 05/02/2014 18:54, David Newman wrote:
>> The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
>> time a zone's ZSK changes.
>>
>> Is this just a matter of a new 'rndc signing' command, or is some action
>> needed to remove the old salt?
>>
>> thanks
>>
>> dn
>
> rndc signing -nsec3param ...
>
> I would expect the old NSEC3 chain and old NSEC3PARAM record to be
> removed, once the new chain is in place.
>
> (Similarly, the new NSEC3PARAM record will not appear in the zone until
> the new NSEC3 chain has been completely generated).
And I recommend to use 9.9.5 - I had some NSEC3 troubles with 9.9.4.
regards
Klaus
More information about the bind-users
mailing list