NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Evan Hunt each at isc.org
Wed Mar 7 16:33:23 UTC 2012

On Wed, Mar 07, 2012 at 09:30:06AM +0100, Marc Lampo wrote:
> Switch from NSEC to NSEC3 !!!
> This is a statement with potentially huge consequences, IMHO.

I said "NSEC3 to NSEC", actually.

As you noted, switching from NSEC to NSEC3 requires planning: if your
domain uses a DNSKEY algorithm less than 7, you'll need to roll to a new
algorithm first.  However, any algorithm that supports NSEC3 also supports
NSEC, so if you decide you don't want NSEC3 and want to revert, you can do
so quite easily.

I always recommend using 'dnssec-keygen -3' when generating keys, in
order to keep one's options open, even though I *don't* recommend
NSEC3 for most people.  (It places additional computational burdens
on both the recursive and authoritative servers, for benefits that
are relatively limited if you're not a TLD operator.)  I expect
we'll switch to using -3 as the default in some future release.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list