Peter Andreev <andreev.pe...@gmail.com> wrote: > > We signed another zone and met the same problem again. The only > difference is algorithm - now it is RSASHA256. > > > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we > > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. > > Recently we realised that our servers don't generate NSEC3 for signed zone. > > Problem has gone after we restarted BIND instances. > > We are using views, could it be related?
Did you add an NSEC3PARAM record? The signing algorithms that support NSEC3 use NSEC by default unless the zone has an NSEC3PARAM record. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
