NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)
marka at isc.org
Tue Mar 6 23:14:01 UTC 2012
In message <E5C102C2-758F-407E-8970-23B60DCE737A at Chaos1.DE>, Axel Rau writes:
> Am 06.03.2012 um 17:28 schrieb Evan Hunt:
> > However, whenever you do wish to change them,
> > you can do so with
> > 'rndc signing -nsec3param', and the chain will be updated automatically.
> I see.
> As named is looking periodically for appearing/disappearing or changed
> keys in the key directory, I supposed it would notice changes of
> $INCLUDEd DS or NSEC3PARAM RR automagically and act upon.
> So my script has to do these 3 steps on changing NSEC3PARAM:
> 1. create new NSEC3PARAM (replacing $INCLUDED file)
> 2. increment SOA serial
> 3. rndc signing -nsec3param myZone?
> Thanks, Axel
NSEC3PARAM records should be generated by the signing software and
not just be added to the zone. Their presence/absence changes how
the zone is served. In particular how negative and wildcard responses
named stages the introduction/removal of NSEC3 chains and their
associated NEC3PARAM records.
named also stages the introduction/removal of NSEC records.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users