In message <e5c102c2-758f-407e-8970-23b60dce7...@chaos1.de>, Axel Rau writes: > > Am 06.03.2012 um 17:28 schrieb Evan Hunt: > > > However, whenever you do wish to change them, > Yes. > > you can do so with > > 'rndc signing -nsec3param', and the chain will be updated automatically. > I see. > As named is looking periodically for appearing/disappearing or changed > keys in the key directory, I supposed it would notice changes of > $INCLUDEd DS or NSEC3PARAM RR automagically and act upon. > > So my script has to do these 3 steps on changing NSEC3PARAM: > 1. create new NSEC3PARAM (replacing $INCLUDED file) > 2. increment SOA serial > 3. rndc signing -nsec3param myZone? > > Thanks, Axel
NSEC3PARAM records should be generated by the signing software and not just be added to the zone. Their presence/absence changes how the zone is served. In particular how negative and wildcard responses are generated. named stages the introduction/removal of NSEC3 chains and their associated NEC3PARAM records. named also stages the introduction/removal of NSEC records. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
