Bind and ZSK-Rollovers: Changing salt automatically?
Evan Hunt
each at isc.org
Mon Jul 28 17:09:57 UTC 2014
On Mon, Jul 28, 2014 at 06:16:13PM +0200, Johannes Kastl wrote:
> > In the same cron job, it is then possible to create a new NSEC3
> > salt and inject that into the zone.
>
> So basically BIND cannot do that for me, each time it does a key
> rollover. That's what I wanted to know.
"rndc signing -nsec3param" can change your salt. Specifying "auto" as
the salt causes named to generate a salt at random.
There's currently no way to schedule it the way you can schedule
key rollovers, but you can put it in a crontab.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list