bind 9.7, dnssec and multiple key directories and resalt NSEC3

[Tim Verhoeven]

Hi,

I'm currently testing the automatic signing for DNSSEC present in Bind
9.7. I'm currently using Bind 9.7.0 and I have 2 questions.

The first one, can I configure multiple key directories? The reasoning
for this is that I would like to seperate the KSK's from the ZSK's.
And this to be able to not have the KSK's present all the time by
putting them on a removable media. For the ZSK's I have no choice
since I will be doing dynamic updates.
Or are there other means to do this except from adding and removing
the KSK's when needed ?

The second question. I've tried doing a resalt using dynamic updates
but I can't get it to work. Just adding a new NSEC3PARAM RR crashes
Bind and doing a delete and then a add (to replace the present RR)
gives me a servfail but I see the updats in the log.
What is the correct way to do a resalt when using automatic signing ?

Thank you,
Tim

-- 
Tim Verhoeven - tim.verhoeven.be at gmail.com - 0479 / 88 11 83

Hoping the problem  magically goes away  by ignoring it is the
"microsoft approach to programming" and should never be allowed.
(Linus Torvalds)