NSEC3/NSEC transition
Tony Finch
dot at dotat.at
Thu Feb 14 17:07:56 UTC 2013
David Sherman <dsherman at bluecatnetworks.com> wrote:
>
> If dynamic signing is used with BIND 9.8, what is the recommended
> procedure to switch from NSEC3-signed zone to NSEC-signed without
> changing existing DNSKEYs (currently RSA/SHA-512 algorithms are used for
> both ZSK and KSK)? Any specific options for dnssec-signzone?
Use nsupdate to delete the NSEC3PARAM record - see
http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch04.html#id2563909
If you are using dynamic signing then you aren't using dnssec-signzone.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
More information about the bind-users
mailing list