Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Axel Rau Tue, 06 Mar 2012 01:44:45 -0800

Am 06.03.2012 um 08:55 schrieb Evan Hunt:

> You should be able to use 'rndc signing -nsec3param' before the zone
> is signed.  It's working for me:
> 
>    zone "example.nil" {
>            type master;
>            inline-signing yes;
>            auto-dnssec maintain;
>            file "example1.db";
>    };
> 
> 
>    $ rndc signing -nsec3param 1 0 10 BEEF example.nil
>    $ rndc signing -list example.nil
>    Pending NSEC3 chain 1 0 10 BEEF
>    $ dnssec-keygen -3 example.nil
>    Generating key pair.............................................++++++
>    ......................++++++ 
>    Kexample.nil.+007+28952
>    $ dnssec-keygen -3fk example.nil
>    Generating key pair...................................................+++
>    ..................................+++ 
>    Kexample.nil.+007+04053
>    $ rndc loadkeys example.nil
>    $ sbin/rndc signing -list example.nil
>    Done signing with key 4053/NSEC3RSASHA1
>    Done signing with key 28952/NSEC3RSASHA1
>    $ dig @localhost +short nsec3param example.nil
>    1 0 10 BEEF
So, I have to do this again, if the NSEC3PARAM changes (e.g. with a different 
salt during ZSK rollover)?
Or does auto-dnssec maintain take care on the changed NSEC3PARAM?


Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Reply via email to