Strange issue with signed zone

Tony Finch dot at dotat.at
Fri Nov 9 10:19:03 UTC 2012


Peter Andreev <andreev.peter at gmail.com> wrote:
>
> We signed another zone and met the same problem again. The only
> difference is algorithm - now it is RSASHA256.
>
> > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we
> > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
> > Recently we realised that our servers don't generate NSEC3 for signed zone.
> > Problem has gone after we restarted BIND instances.
>
> We are using views, could it be related?

Did you add an NSEC3PARAM record?

The signing algorithms that support NSEC3 use NSEC by default unless the
zone has an NSEC3PARAM record.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.



More information about the bind-users mailing list