On 25/01/11 4:10 PM, "Alan Clegg" <acl...@isc.org> wrote:
> On 1/25/2011 9:51 AM, Kalman Feher wrote:
>
>> If the nsec3param has been removed, the automated signing will be weird if
>> you are using nsec3 keys. I havent tested this scenario, since it isnt
>> really a working scenario.
>
> There is no such thing as an "nsec3 key".
Sorry, I was a little sloppy with my vernacular.
I meant the algorithm used to create the keys in question. ie using -3 in
dnssec-keygen.
>
> If you auto-sign a zone that does not contain an NSEC3PARAM record, the
> zone will be signed using NSEC.
That was the observed behaviour of the OP, which wasn't their preference.
Hence the need to add and retain said nsec3param in this instance.
>
> [note that I'm leaving the rest of that mail to be responded to by
> someone with more intimate knowledge of the auto-signing mechanism]
>
> AlanC
>
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Kal Feher
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
