DNSSEC auto-dnssec issue bind-9.7.2-P3

Kalman Feher kalman.feher at melbourneit.com.au
Tue Jan 25 16:07:25 UTC 2011

On 25/01/11 4:10 PM, "Alan Clegg" <aclegg at isc.org> wrote:

> On 1/25/2011 9:51 AM, Kalman Feher wrote:
>> If the nsec3param has been removed, the automated signing will be weird if
>> you are using nsec3 keys. I havent tested this scenario, since it isnt
>> really a working scenario.
> There is no such thing as an "nsec3 key".
Sorry, I was a little sloppy with my vernacular.
I meant the algorithm used to create the keys in question. ie using -3 in

> If you auto-sign a zone that does not contain an NSEC3PARAM record, the
> zone will be signed using NSEC.
That was the observed behaviour of the OP, which wasn't their preference.
Hence the need to add and retain said nsec3param in this instance.

> [note that I'm leaving the rest of that mail to be responded to by
> someone with more intimate knowledge of the auto-signing mechanism]
> AlanC
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Kal Feher 

More information about the bind-users mailing list