NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)
Axel Rau
Axel.Rau at Chaos1.DE
Tue Mar 6 09:43:20 UTC 2012
Am 06.03.2012 um 08:55 schrieb Evan Hunt:
> You should be able to use 'rndc signing -nsec3param' before the zone
> is signed. It's working for me:
>
> zone "example.nil" {
> type master;
> inline-signing yes;
> auto-dnssec maintain;
> file "example1.db";
> };
>
>
> $ rndc signing -nsec3param 1 0 10 BEEF example.nil
> $ rndc signing -list example.nil
> Pending NSEC3 chain 1 0 10 BEEF
> $ dnssec-keygen -3 example.nil
> Generating key pair.............................................++++++
> ......................++++++
> Kexample.nil.+007+28952
> $ dnssec-keygen -3fk example.nil
> Generating key pair...................................................+++
> ..................................+++
> Kexample.nil.+007+04053
> $ rndc loadkeys example.nil
> $ sbin/rndc signing -list example.nil
> Done signing with key 4053/NSEC3RSASHA1
> Done signing with key 28952/NSEC3RSASHA1
> $ dig @localhost +short nsec3param example.nil
> 1 0 10 BEEF
So, I have to do this again, if the NSEC3PARAM changes (e.g. with a different salt during ZSK rollover)?
Or does auto-dnssec maintain take care on the changed NSEC3PARAM?
Axel
---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
More information about the bind-users
mailing list