NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Axel Rau Axel.Rau at Chaos1.DE
Tue Mar 6 16:52:05 UTC 2012

Am 06.03.2012 um 17:28 schrieb Evan Hunt:

> However, whenever you do wish to change them,
> you can do so with
> 'rndc signing -nsec3param', and the chain will be updated automatically.
I see.
As named is looking periodically for appearing/disappearing or changed keys in the key directory, I supposed it would notice changes of $INCLUDEd DS or NSEC3PARAM RR automagically and act upon.

So my script has to do these 3 steps on changing NSEC3PARAM:
1. create new NSEC3PARAM (replacing $INCLUDED file)
2. increment SOA serial
3. rndc  signing -nsec3param myZone? 

Thanks, Axel
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

More information about the bind-users mailing list