changing NSEC3 salt

Evan Hunt each at
Mon Mar 10 17:20:22 UTC 2014

On Mon, Mar 10, 2014 at 12:38:34PM +0000, Graham Clinch wrote:
> This isn't quite what I see with inline-signing on 9.9.5:
> If I switch from NSEC to NSEC3, my zone continues to have an NSEC chain 
> until the moment it has an NSEC3 chain.
> If I replace an existing NSEC3 chain with a new salt, I seem to lose a 
> load of RRSIGs, and there are no NSEC or NSEC3 records until the 
> operation completes!!  For example, the are no signatures on the 
> DNSKEYs, which feels like a disaster.

That's certainly not what's supposed to happen, and it isn't the
behavior I'm seeing.

What should happen is:

 - the old NSEC3PARAM is removed
 - a private-type record is created, indicating that a
   new NSEC3 chain is being created
 - all the new NSEC3 records are added to the zone
 - the new NSEC3PARAM is created
 - all the old NSEC3 records are removed from the zone
 - the private-type record is cleaned up

Looking at the journal file with named-journalprint confirms
that's what's happening on my test system.  How are you doing
your tests?

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list