changing NSEC3 salt
g.clinch at lancaster.ac.uk
Mon Mar 10 12:38:34 UTC 2014
Sorry to hijack this older thread, but..
> rndc signing -nsec3param ...
> I would expect the old NSEC3 chain and old NSEC3PARAM record to be
> removed, once the new chain is in place.
> (Similarly, the new NSEC3PARAM record will not appear in the zone until
> the new NSEC3 chain has been completely generated).
This isn't quite what I see with inline-signing on 9.9.5:
If I switch from NSEC to NSEC3, my zone continues to have an NSEC chain
until the moment it has an NSEC3 chain.
If I replace an existing NSEC3 chain with a new salt, I seem to lose a
load of RRSIGs, and there are no NSEC or NSEC3 records until the
operation completes!! For example, the are no signatures on the
DNSKEYs, which feels like a disaster.
Am I doing something wrong? I hope so!
More information about the bind-users