Phil, On 03/07/12 10:27, Phil Mayers wrote: > On 03/07/2012 08:50 AM, Marco Davids (SIDN) wrote: > >> I also find it a bit strange that BIND decides to go for NSEC, even when >> the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1). >> > AS I understand it, NSEC3 incurs overhead at validating resolvers. That > being the case, it is unfriendly to use it unless you really need it
I don't have a problem with that. It's just that I find the current way BIND works a bit tricky. I would feel more comfortable with an explicit configuration-option in named.conf, rather than a seperate action (being 'rndc signing -nsec3param'). (In the case I *really* want NSEC3 that is, naturally) Regards, -- Marco _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
