Strange issue with signed zone
andreev.peter at gmail.com
Fri Nov 9 11:13:28 UTC 2012
2012/11/9 Peter Andreev <andreev.peter at gmail.com>:
> 2012/11/9 Tony Finch <dot at dotat.at>:
>> Peter Andreev <andreev.peter at gmail.com> wrote:
>>> We signed another zone and met the same problem again. The only
>>> difference is algorithm - now it is RSASHA256.
>>> > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we
>>> > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT.
>>> > Recently we realised that our servers don't generate NSEC3 for signed zone.
>>> > Problem has gone after we restarted BIND instances.
>>> We are using views, could it be related?
>> Did you add an NSEC3PARAM record?
> Yes, we did.
Actually without restart, servers didn't generate neither NSEC3, nor NSEC.
>> The signing algorithms that support NSEC3 use NSEC by default unless the
>> zone has an NSEC3PARAM record.
>> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
>> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
>> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
>> occasionally poor at first.
More information about the bind-users