Bind error when switching from NSEC to NSEC3

Evan Hunt each at
Fri Aug 14 04:44:03 UTC 2009

> dnssec-signzone incorrectly leaves NSEC records in a zone when "re-using"
> the old signed zone when changing from NSEC to NSEC3. The resulting zone
> file will contain both NSEC and NSEC3 records.

Yes.  Moreover, it does the same thing when changing from NSEC3 to NSEC,
which you can do by accident far too easily--simply by forgetting the -3
flag when you re-sign.  There's an open bug ticket about this, I plan to
fix it soon.

Thanks for mentioning it.

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list