NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Evan Hunt each at isc.org
Tue Mar 6 17:10:33 UTC 2012

On Tue, Mar 06, 2012 at 05:52:05PM +0100, Axel Rau wrote:
> As named is looking periodically for appearing/disappearing or changed
> keys in the key directory, I supposed it would notice changes of
> $INCLUDEd DS or NSEC3PARAM RR automagically and act upon.
> So my script has to do these 3 steps on changing NSEC3PARAM:
> 1. create new NSEC3PARAM (replacing $INCLUDED file)
> 2. increment SOA serial
> 3. rndc  signing -nsec3param myZone? 

No $INCLUDE file is necessary for this.

If you were using auto-dnssec with a dynamic DNS zone in BIND 9.7 or
higher, you could use 'nsupdate' to insert a new NSEC3PARAM record.
This causes several things to happen:

   - a new NSEC3 chain is generated for the zone
   - the new NSEC3PARAM record is inserted
   - the old NSEC3PARAM record (if any) is removed
   - the old NSEC or NSEC3 chain is removed
   - the SOA serial number is incremented

Now in BIND 9.9, if you're using auto-dnssec with either a dynamic
DNS or an inline-signing zone, then you can do this same thing by
running 'rndc signing -nsec3param' instead of 'nsupdate'.  Your script
that creates a new include file and bumps the SOA serial number is no
longer needed for NSEC3PARAM updates.

As for DS records, those are updated like any other data in the zone
(i.e., use 'nsupdate' for dynamic DNS, or update your zone file and
run 'rndc reload' for inline-signing zones).

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list