I have a zone maintained by:
inline-signing yes;
auto-dnssec maintain;
update-policy local;
I switched it from the default NSEC to NSEC3 with:
rndc signing -nsec3param 1 0 10 68f499ee auto.rd.nic.fr
It seems to work but the zone still contains NSEC signatures (but no
NSEC records):
auto.rd.nic.fr. 86400 IN RRSIG NSEC 8 4 86400 20130829140232
20130730135801 53989 auto.rd.nic.fr.
FNHDlnIq1fN0bVJtLvP56BNw3Pydmogp8KWn2n200zMWSuHrq1sgU3Q3
cv8o+Cbr6w871IHBKwd+edz67URntzWferPzy2aklAEIdsRlvHSDHJyD
WzUs915+GeUR0NOU2m/zfWQBAYBj8UP2i1puxh4NBzfnGF9ChCRKuhrT
pBz+hxgdNKpQ2rt+NkBXFGKtZUz1eIDCpiT5F8CweetnajSyKRUVFCod
emrOfdR1axr4Bp5Jaokrp5XbC2tefSs+NqXJycHBhmMGisAXOho4fOKY
5OWMb7IrcXA0xh8LUF5+uuQ6mpM7j+i0ZLiubt2TR6VxkcGbb4yfXWef x7vYAQ==
Some checking tools complain. For instance, validns:
auto.rd.nic.fr:8: auto.rd.nic.fr. RRSIG exists for non-existing type NSEC
Is it a bug? Or did I use the wrong procedure to switch to NSEC3?
BIND 9.9.2-P1 (the last version in the current Ubuntu)
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
