Strange issue with signed zone
Peter Andreev
andreev.peter at gmail.com
Fri Nov 9 11:13:28 UTC 2012
2012/11/9 Peter Andreev <andreev.peter at gmail.com>:
> 2012/11/9 Tony Finch <dot at dotat.at>:
>> Peter Andreev <andreev.peter at gmail.com> wrote:
>>>
>>> We signed another zone and met the same problem again. The only
>>> difference is algorithm - now it is RSASHA256.
>>>
>>> > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we
>>> > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
>>> > Recently we realised that our servers don't generate NSEC3 for signed zone.
>>> > Problem has gone after we restarted BIND instances.
>>>
>>> We are using views, could it be related?
>>
>> Did you add an NSEC3PARAM record?
>
> Yes, we did.
>
Actually without restart, servers didn't generate neither NSEC3, nor NSEC.
>>
>> The signing algorithms that support NSEC3 use NSEC by default unless the
>> zone has an NSEC3PARAM record.
>>
>> Tony.
>> --
>> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
>> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
>> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
>> occasionally poor at first.
>
>
>
> --
> AP
--
AP
More information about the bind-users
mailing list