NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Mark Andrews marka at isc.org
Tue Mar 6 23:14:01 UTC 2012

In message <E5C102C2-758F-407E-8970-23B60DCE737A at Chaos1.DE>, Axel Rau writes:
> Am 06.03.2012 um 17:28 schrieb Evan Hunt:
> > However, whenever you do wish to change them,
> Yes.
> > you can do so with
> > 'rndc signing -nsec3param', and the chain will be updated automatically.
> I see.
> As named is looking periodically for appearing/disappearing or changed 
> keys in the key directory, I supposed it would notice changes of 
> $INCLUDEd DS or NSEC3PARAM RR automagically and act upon.
> So my script has to do these 3 steps on changing NSEC3PARAM:
> 1. create new NSEC3PARAM (replacing $INCLUDED file)
> 2. increment SOA serial
> 3. rndc  signing -nsec3param myZone? 
> Thanks, Axel

NSEC3PARAM records should be generated by the signing software and
not just be added to the zone.  Their presence/absence changes how
the zone is served.  In particular how negative and wildcard responses
are generated.

named stages the introduction/removal of NSEC3 chains and their
associated NEC3PARAM records.

named also stages the introduction/removal of NSEC records.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list