On Jul 15 2009, Mark Andrews wrote:
In message <prayer.1.3.1.0907141701530.27...@hermes-2.csi.cam.ac.uk>,
Chris Thompson writes:
In BIND 9.6.0 one could take an unsigned zone and add an initial
KSK and ZSK to it using nsupdate (and if the right files were in the
key directory, it would sign everything correctly). In BIND 9.6.1
this no longer works: it returns REFUSED. It's unclear to me whether
this change was intended - if so I can't work out which entry in the
CHANGES file it corresponds to.
2530. [bug] named failed to reject insecure to secure transitions
via UPDATE. [RT #19101]
The functionality was supposed to be conditionally available
when it is complete it will be available in a default build.
Thank you. Also Shumon Huque pointed out in private e-mail that this
has recently been discussed on bind-users in the thread "DNSKEY dynamic
update: unexpected change 9.6.0-P1 -> 9.6.1". It was careless of me
not to have checked that.
Luckily my current plans for transitioning "real" zones from unsigned
to signed involve freezing, signing with dnssec-signzone, and then
thawing.
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
