do not stupidly delete ZSK files
Tony Finch
dot at dotat.at
Sat Aug 8 10:38:31 UTC 2015
Lawrence K. Chen, P.Eng. <lkchen at ksu.edu> wrote:
> On 2015-07-31 06:33, Tony Finch wrote:
> >
> > The DNSSEC records come from the zone data like any other records. You
> > don't need any special DNSSEC configuration to act as a secondary for a
> > signed zone - it just works.
>
> Is that the case now? I recall when I was initial deploying DNSSEC, DLV
> required that all my nameservers respond the same.
>
> We use NSEC3 on our zones, but at the time our network operator's nameservers
> didn't support NSEC3, so were absent from their responses. Had to delay until
> they upgraded their servers (something about needing to upgrade from 5 to 6
> first), before we could go DNSSEC.
Yes, your secondaries need code to implement DNSSEC but they don't need
any special DNSSEC configuration.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Viking, North Utsire, South Utsire: Southwesterly 4 or 5, backing southerly 5
or 6, occasionally 7 for a time in Viking and North Utsire. Slight or
moderate, occasionally rough later in Viking. Rain later. Good, occasionally
poor later.
More information about the bind-users
mailing list