On Wed, Mar 07, 2012 at 10:33:24AM +1100, Wolfgang Nagele wrote: > Nothing says so in the specs: http://tools.ietf.org/html/rfc5155#section-4
It does, actually: "The presence of an NSEC3PARAM RR at a zone apex indicates that the specified parameters may be used by authoritative servers to choose an appropriate set of NSEC3 RRs for negative responses." In other words, by putting NSEC3PARAM in place, you're telling your slaves that they can rely on the existence of a full and complete NSEC3 chain matching those parameters. If the zone isn't signed yet, or the NSEC3 chain isn't fully generated yet, then that could cause breakage. The way we work around this is by using a special private-type record (TYPE65534, by default) into the zone, which contains your intended NSEC3 parameters. After named has finished generating the chain, it removes the private record. (You could insert this record into the unsigned zone if you wanted to, and it would work, but using rndc is a lot easier.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
