changing NSEC3 salt

Graham Clinch g.clinch at
Mon Mar 10 12:38:34 UTC 2014


Sorry to hijack this older thread, but..

> rndc signing -nsec3param ...
> I would expect the old NSEC3 chain and old NSEC3PARAM record to be
> removed, once the new chain is in place.
> (Similarly, the new NSEC3PARAM record will not appear in the zone until
> the new NSEC3 chain has been completely generated).

This isn't quite what I see with inline-signing on 9.9.5:

If I switch from NSEC to NSEC3, my zone continues to have an NSEC chain 
until the moment it has an NSEC3 chain.

If I replace an existing NSEC3 chain with a new salt, I seem to lose a 
load of RRSIGs, and there are no NSEC or NSEC3 records until the 
operation completes!!  For example, the are no signatures on the 
DNSKEYs, which feels like a disaster.

Am I doing something wrong?  I hope so!


Graham Clinch
Systems Programmer,
Lancaster University

More information about the bind-users mailing list