In message <CB52CF69EC353F4FBC9BA1581123C72E1C73D14C@TORMBXW01.bluecatnetworks. corp>, David Sherman writes: > Hi, > > If dynamic signing is used with BIND 9.8, what is the recommended procedure t > o switch from NSEC3-signed zone to NSEC-signed without changing existing DNSK > EYs (currently RSA/SHA-512 algorithms are used for both ZSK and KSK)? > Any specific options for dnssec-signzone?
Throw the signed zone imn a editor. Remove all the NSEC3 records. Remove the NSEC3PARAM records. Sign the zone but DO NOT use -3 or -H. If you don't specify a salt or iterations then a NSEC chain will be built instead of a NSEC3 chain. For a dynamic zone just remove all NSEC3PARAM records. named will do the rest. > Thanks, > David > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
