NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)
each at isc.org
Wed Mar 7 16:33:23 UTC 2012
On Wed, Mar 07, 2012 at 09:30:06AM +0100, Marc Lampo wrote:
> Switch from NSEC to NSEC3 !!!
> This is a statement with potentially huge consequences, IMHO.
I said "NSEC3 to NSEC", actually.
As you noted, switching from NSEC to NSEC3 requires planning: if your
domain uses a DNSKEY algorithm less than 7, you'll need to roll to a new
algorithm first. However, any algorithm that supports NSEC3 also supports
NSEC, so if you decide you don't want NSEC3 and want to revert, you can do
so quite easily.
I always recommend using 'dnssec-keygen -3' when generating keys, in
order to keep one's options open, even though I *don't* recommend
NSEC3 for most people. (It places additional computational burdens
on both the recursive and authoritative servers, for benefits that
are relatively limited if you're not a TLD operator.) I expect
we'll switch to using -3 as the default in some future release.
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users