Strange issue with signed zone

Tony Finch dot at
Fri Nov 9 10:19:03 UTC 2012

Peter Andreev <andreev.peter at> wrote:
> We signed another zone and met the same problem again. The only
> difference is algorithm - now it is RSASHA256.
> > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we
> > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
> > Recently we realised that our servers don't generate NSEC3 for signed zone.
> > Problem has gone after we restarted BIND instances.
> We are using views, could it be related?

Did you add an NSEC3PARAM record?

The signing algorithms that support NSEC3 use NSEC by default unless the
zone has an NSEC3PARAM record.

f.anthony.n.finch  <dot at>
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the bind-users mailing list