NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)
Axel.Rau at Chaos1.DE
Tue Mar 6 16:52:05 UTC 2012
Am 06.03.2012 um 17:28 schrieb Evan Hunt:
> However, whenever you do wish to change them,
> you can do so with
> 'rndc signing -nsec3param', and the chain will be updated automatically.
As named is looking periodically for appearing/disappearing or changed keys in the key directory, I supposed it would notice changes of $INCLUDEd DS or NSEC3PARAM RR automagically and act upon.
So my script has to do these 3 steps on changing NSEC3PARAM:
1. create new NSEC3PARAM (replacing $INCLUDED file)
2. increment SOA serial
3. rndc signing -nsec3param myZone?
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
More information about the bind-users