On Wed, 2011-10-26 at 13:59 +0400, Peter Andreev wrote: > Hello! > > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we have > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. > Recently we realised that our servers don't generate NSEC3 for signed zone. > Problem has gone after we restarted BIND instances.
Not sure about your problem - but if you are only just now starting to generate Keys for DNSSEC, consider using RSASHA265 rather than RSASHA1. Key protocol rollovers need much love and care (and bit me in the ass) - rather avoid the situation by not using the older protocol for Key Generation. I believe the 'root' was signed with RSASHA265 so support for it should be wide-spread. > Is described behaviour normal for BIND or not? Believe that there was some sort of bug that required a named restart. -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
