-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 W dniu 2011-01-24 14:34, Kalman Feher pisze: > I assume you did add the nsec3param record via nsupdate after adding the > zone? I note that there is an NSEC entry there, which is not right. >
Yes, with nsupdate. and lack of NSEC3PARAM was very odd. > Are you following this same workflow? > FWIW I use a script to add all my test zones from a zone template file. That > script automatically adds the nsec3param as soon as the zone is loaded, but > before it signs. That way I keep things simple and never forget to update > that zone before signing. I made few more tests and what I've understand you have to have at least one key in 'Activate' state. for example: the same example zone, generated keys with future Prepublish and Activate event, adding NSEC3PARAM via nsupdate: Jan 24 15:28:36 named[15837]: update: client 127.0.0.1#8917: updating zone 'example/IN': adding an RR at 'example' NSEC3PARAM Jan 24 15:28:36 named[15837]: general: zone example/IN: dns_zone_addnsec3chain(hash=1, iterations=12, salt=19CC44675CFB020065B1) Jan 24 15:28:36 named[15837]: general: zone example/IN: zone_addnsec3chain(1,CREATE,12,19CC44675CFB020065B1) now I want named to read the key timings from key files so I make 'rndc sign example': Jan 24 15:28:37 named[15837]: general: received control channel command 'sign example' Jan 24 15:28:37 named[15837]: general: zone example/IN: reconfiguring zone keys Jan 24 15:28:37 named[15837]: general: zone example/IN: zone_addnsec3chain(1,REMOVE|NONSEC,12,19CC44675CFB020065B1) Jan 24 15:28:37 named[15837]: general: zone example/IN: next key event: 24-Jan-2011 15:29:36.860 Jan 24 15:29:36 named[15837]: general: zone example/IN: reconfiguring zone keys Jan 24 15:29:36 named[15837]: general: zone example/IN: next key event: 24-Jan-2011 16:29:36.886 and my NSEC3PARAM record is removed! and my question is why? why can't I have NSEC3PARAM record in my zone before signing it?? If I wait until 'Activate' event (16:29:36.886 - for this particular test) I will get strangely looking signed zone (which I attached in my previous emails) without my NSEC3PARAM record. - -- regards zbigniew jasinski [SYStem OPerator] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNPZXVAAoJEH26UYiRhe/gPDwP/2kxlk5ct9hpffP94tAUgx/F R61tr9IA1mSAkHkN6zJh7GYRgNSxllI4s+h41FXYBhlknpARdcobfm2ybdkReojm llaTIQtqcgh+7vRq/MK9zH3MwWglhatuQFENUwTpy38zccRwSAQhtN+XDUi2TpVq VS0tjpAqZb0/hpz9pb4Bxu1uNzpRUehiRcjhg0l2ocsBg/32FQ4xSDr3ViMNHgeA 0a+xIRkp9gK5DsUUCPlpkQBBr7ICyvl/M4t3RPUOr3zf7tzUX81TrNLF1PeHC/kh gR8Hz+94MceVdgVIaRNWUpj5wvYVRuz9DEdp9li124kk4hyATh+Qo1Bk1ZrreoNa AxqO/qVqtRz7xpRSdjvOcsNrJ7/5dJltfp/Mv7wC0xXgz/DR84xiFvpy21JAEJIa W0D7lCSixF3B8WV90vKevJGSCWSi0ipLANuckO4oHzhTyVk0RQmV/iGZjneWwJpV KJWuTSa1sffk2QXI3ikwH5WKLyKaXmOCG5ZkEmLc8OO70WSkuWlsbt2oGGRAgGVd b8uYtr6NrJdJBhAU5KgcEHiOY6g9Wv6ffC63XS1LMC9b/Tnp5DXHnK8VG5og6NwO vjgJu5SwyuijAl+VIWlnnenxNBy4vB4OSrht0sC+JvzN360/sSSLE3fzHpFwMTGq D1zWmxkyD645F6od2RJ/ =iWfG -----END PGP SIGNATURE----- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
