On 02/13/2011 10:40 AM, Stephane Bortzmeyer wrote:
On Sun, Feb 13, 2011 at 11:07:31AM +0100,
Stephane Bortzmeyer<bortzme...@nic.fr> wrote
a message of 35 lines which said:
Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and
the AEP keyper HSM), with DNSSEC enabled, dynamically signing
records.
...
at least in the second case, it was when updating a DNSKEY record
(an old ZSK was retired).
I was not very clear, sorry: all provisioning is done (DNSKEY
included) with dynamic updates. BIND is therefore responsible for
keeping the NSEC3 chain (we use opt-out, by the way), and for signing,
although the actual crypto is done by an AEP Keyper HSM.
The zone at the moment seems to be signed with NSEC; are you trying to
perform an online transition from NSEC to NSEC3 via dynamic update?
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
