Adding first DNSKEY record with update (9.6.0 vs 9.6.1)
Mark Andrews
marka at isc.org
Wed Jul 15 01:04:10 UTC 2009
In message <Prayer.1.3.1.0907141701530.27401 at hermes-2.csi.cam.ac.uk>, Chris Thompson writes:
> In BIND 9.6.0 one could take an unsigned zone and add an initial
> KSK and ZSK to it using nsupdate (and if the right files were in the
> key directory, it would sign everything correctly). In BIND 9.6.1
> this no longer works: it returns REFUSED. It's unclear to me whether
> this change was intended - if so I can't work out which entry in the
> CHANGES file it corresponds to.
2530. [bug] named failed to reject insecure to secure transitions
via UPDATE. [RT #19101]
The functionality was supposed to be conditionally available
when it is complete it will be available in a default build.
> Both 9.6.0 and 9.6.1 give REFUSED if one attempts to delete the
> last KSK (although they let you remove all the ZSKs).
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list