On Fri, Jun 4, 2010 at 3:11 AM, Tim Verhoeven <tim.verhoeven...@gmail.com>wrote:
> > The second question. I've tried doing a resalt using dynamic updates > but I can't get it to work. Just adding a new NSEC3PARAM RR crashes > Bind and doing a delete and then a add (to replace the present RR) > gives me a servfail but I see the updats in the log. > What is the correct way to do a resalt when using automatic signing ? > > This should work: rndc freeze dnssec-signzone ... # using same keys but with new NSEC3 salt rndc reload rndc thaw Although, at least in earlier versions of BIND, if not all RRsets in the zone are resigned with the resign (i.e., within "interval" specified with -i), then the NSEC3 chain with the new salt is added to any existing NSEC3 chains. There shouldn't be any ill effects from this, but it does increase the size of the zone some. Regards, Casey
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
