NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Evan Hunt each at isc.org
Tue Mar 6 16:28:49 UTC 2012

> So, I have to do this again, if the NSEC3PARAM changes (e.g. with a
> different salt during ZSK rollover)?  Or does auto-dnssec maintain take
> care on the changed NSEC3PARAM?

I'm not sure I understand the question; there's no requirement that
you change the NSEC3 parameters during a key roll.

However, whenever you do wish to change them, you can do so with
'rndc signing -nsec3param', and the chain will be updated automatically.

(Also, if you want to switch to NSEC instead of NSEC3, you can use
'rndc signing -nsec3param none'.)

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list