Mark Andrews marka at isc.org
Tue Sep 29 15:52:13 UTC 2009

In message <alpine.LFD.1.10.0909291125070.11541 at newtla.xelerance.com>, Paul Wou
ters writes:
> On Wed, 30 Sep 2009, Mark Andrews wrote:
> >> http://www.afnic.fr/outils/zonecheck/_en
> >
> > The key word is "required".  I know some do, I just wish more did.
> I for one, welcome our new named-checkzone overlords.
> (especially if named-checkzone would fail to OK a zone with NSEC3RSASHA1 keys
> and re-used NSEC records :)

NSEC3RSASHA1 w/ NSEC is fine and is required if you want to transition
from RSASHA1 (w/ NSEC) to NSEC3RSASHA1 w/ NSEC3 w/o going insecure.

NSEC + NSEC3PARAM however could be rejected as could having multiple
NSEC3PARAM records.

> Paul

Not named-checkzone (yet) but the following are in BIND 9.6.2.

2686.   [bug]           dnssec-signzone should clean the old NSEC chain when
                        signing with NSEC3 and vice versa. [RT #20301]

2683.   [bug]           dnssec-signzone should clean out old NSEC3 chains when
                        the NSEC3 parameters used to sign the zone change.
                        [RT #20246]

dnssec-signzone works on the zone as a whole so it is in the position
to do this in a straight forward manner.  Named, however, needs to
support multiple NSEC3 chains (though not all may be complete) as
it does its work incrementally but perhaps it could be argued that
when you finish adding new NSEC3 chain incrementally the old one
should be removed.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list