Strange issue with signed zone

Peter Andreev andreev.peter at gmail.com
Fri Nov 9 11:08:58 UTC 2012


2012/11/9 Tony Finch <dot at dotat.at>:
> Peter Andreev <andreev.peter at gmail.com> wrote:
>>
>> We signed another zone and met the same problem again. The only
>> difference is algorithm - now it is RSASHA256.
>>
>> > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we
>> > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
>> > Recently we realised that our servers don't generate NSEC3 for signed zone.
>> > Problem has gone after we restarted BIND instances.
>>
>> We are using views, could it be related?
>
> Did you add an NSEC3PARAM record?

Yes, we did.

>
> The signing algorithms that support NSEC3 use NSEC by default unless the
> zone has an NSEC3PARAM record.
>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
> occasionally poor at first.



-- 
AP



More information about the bind-users mailing list