procedure for re-signing zones on nsec3param change, when using dnssec-policy full automation?
PGNet Dev
pgnet.dev at gmail.com
Thu Oct 20 13:48:52 UTC 2022
> On 19. 10. 22 19:48, Mark Andrews wrote:
>> Just reload the server.
+1
>>> with the does the DS record need to be touched? i.e., will the changed to nsec3param change the zone's KSK?
>
> Let me add that no, DS record is not affected at all by NSEC or NSEC3.
dnssec-policy management is doing a nice job of making this easy! even if not always clear to me in the docs
after the config edit, and reload,
dig example.com nsec3param
...
;; ANSWER SECTION:
exmaple.com. 5 IN NSEC3PARAM 1 0 0 -
...
and, NO upstream DS RECORD update, all my functional checks seem, so far, to be passing.
thx!
More information about the bind-users
mailing list