NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)
each at isc.org
Tue Mar 6 16:28:49 UTC 2012
> So, I have to do this again, if the NSEC3PARAM changes (e.g. with a
> different salt during ZSK rollover)? Or does auto-dnssec maintain take
> care on the changed NSEC3PARAM?
I'm not sure I understand the question; there's no requirement that
you change the NSEC3 parameters during a key roll.
However, whenever you do wish to change them, you can do so with
'rndc signing -nsec3param', and the chain will be updated automatically.
(Also, if you want to switch to NSEC instead of NSEC3, you can use
'rndc signing -nsec3param none'.)
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users