nsec3 in bind 9.7

Evan Hunt each at isc.org
Sat Feb 20 04:07:24 UTC 2010


> NSEC only DNSKEYs and NSEC3 chains not allowed

That should've been worded or at least punctuated better.  "NSEC-only
DNSKEYs not allowed with NSEC3 chains", perhaps.  It means you're using
at least one DNSKEY with an algorithm that predates NSEC3, and therefore
your zone can't have a valid NSEC3 chain.  Use "dnssec-keygen -3" to
generate your keys.

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the bind-users mailing list