Hi Matthijs! I always had the impression that dnssec-signzone is a stand-alone utility and signing is done either with dnssec-signzone or with Bind's dnssec-policy. Does it really work to use dnssec-signzone on a zone and journal that is managed by named?
Regards Klaus -- Klaus Darilion, Head of Operations nic.at GmbH, Jakob-Haringer-Straße 8/V 5020 Salzburg, Austria > -----Ursprüngliche Nachricht----- > Von: bind-users <bind-users-boun...@lists.isc.org> Im Auftrag von > Matthijs Mekking > Gesendet: Dienstag, 1. Oktober 2024 08:49 > An: bind-users@lists.isc.org > Betreff: Re: Specifying NSEC3 salt with dnssec-policy > > Hi Klaus, > > With dnssec-policy you can specify the salt length, not a specific salt. > > You can still use dnssec-signzone -3 to manually set a salt. > > Best regards, > > Matthijs > > On 9/30/24 22:38, Klaus Darilion via bind-users wrote: > > Hello! > > > > With "auto-dnssec maintain;" I was used to specify the NSEC3 salt with > > 'rndc signing -nsec3param'. Today I used the "dnssec-policy" and I > > failed to specify the salt manually. Are there any tricks/workarounds > to > > manually specify the NSEC3 salt? > > > > I know that actually the salt should be "-" but currently I am > debugging > > a NSEC3 issue in our system and in such cases I always use Bind as a > > reference how the proper NSEC3 should look like. Hence I was in need > to > > manually set the salt to be similar to the production zone. Luckily I > > was on 9.18 and switched back to auto-dnssec. > > > > Thanks > > > > Klaus > > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
