Switch from NSEC to NSEC3 !!! This is a statement with potentially huge consequences, IMHO.
Only valid where DNSSEC algorithms allow either method (like algo #8 and algo #10, unsure about others). For algorithm like #5, NSEC is implied. So suggesting that it is easy to switch (between NSEC and NSEC3), without mentioning the link with the algorithm without mentioning the consequences if chain-of-trust is established (and (DNSSEC) data might be cached "out there") is probably not the right thing to do. (given recent contributions in this list that DNSSEC management is not easy ...) Kind regards, Marc Lampo Security Officer EURid (for .eu) -----Original Message----- ... (Also, if you want to switch to NSEC instead of NSEC3, you can use 'rndc signing -nsec3param none'.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
