On Tue, Mar 06, 2012 at 05:52:05PM +0100, Axel Rau wrote: > As named is looking periodically for appearing/disappearing or changed > keys in the key directory, I supposed it would notice changes of > $INCLUDEd DS or NSEC3PARAM RR automagically and act upon. > > So my script has to do these 3 steps on changing NSEC3PARAM: > 1. create new NSEC3PARAM (replacing $INCLUDED file) > 2. increment SOA serial > 3. rndc signing -nsec3param myZone?
No $INCLUDE file is necessary for this. If you were using auto-dnssec with a dynamic DNS zone in BIND 9.7 or higher, you could use 'nsupdate' to insert a new NSEC3PARAM record. This causes several things to happen: - a new NSEC3 chain is generated for the zone - the new NSEC3PARAM record is inserted - the old NSEC3PARAM record (if any) is removed - the old NSEC or NSEC3 chain is removed - the SOA serial number is incremented Now in BIND 9.9, if you're using auto-dnssec with either a dynamic DNS or an inline-signing zone, then you can do this same thing by running 'rndc signing -nsec3param' instead of 'nsupdate'. Your script that creates a new include file and bumps the SOA serial number is no longer needed for NSEC3PARAM updates. As for DS records, those are updated like any other data in the zone (i.e., use 'nsupdate' for dynamic DNS, or update your zone file and run 'rndc reload' for inline-signing zones). -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
