changing NSEC3 salt

Tony Finch dot at
Mon Mar 10 19:03:43 UTC 2014

Evan Hunt <each at> wrote:
> What should happen is:
>  - the old NSEC3PARAM is removed

Isn't that a bit early? Can a secondary transfer the zone while there is

>  - a private-type record is created, indicating that a
>    new NSEC3 chain is being created
>  - all the new NSEC3 records are added to the zone

>  - the new NSEC3PARAM is created

I would have thought this should be an atomic replacement of the
NSEC3PARAM record.

>  - all the old NSEC3 records are removed from the zone
>  - the private-type record is cleaned up

