changing NSEC3 salt
Evan Hunt
each at isc.org
Mon Mar 10 17:20:22 UTC 2014
On Mon, Mar 10, 2014 at 12:38:34PM +0000, Graham Clinch wrote:
> This isn't quite what I see with inline-signing on 9.9.5:
>
> If I switch from NSEC to NSEC3, my zone continues to have an NSEC chain
> until the moment it has an NSEC3 chain.
>
> If I replace an existing NSEC3 chain with a new salt, I seem to lose a
> load of RRSIGs, and there are no NSEC or NSEC3 records until the
> operation completes!! For example, the are no signatures on the
> DNSKEYs, which feels like a disaster.
That's certainly not what's supposed to happen, and it isn't the
behavior I'm seeing.
What should happen is:
- the old NSEC3PARAM is removed
- a private-type record is created, indicating that a
new NSEC3 chain is being created
- all the new NSEC3 records are added to the zone
- the new NSEC3PARAM is created
- all the old NSEC3 records are removed from the zone
- the private-type record is cleaned up
Looking at the journal file with named-journalprint confirms
that's what's happening on my test system. How are you doing
your tests?
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list