On Fri, 19 Feb 2010, Shane W wrote:
algorithm of 1 means use SHA-1 for hashing names; flags of 1 means opt-out
and 0 means no opt-out; iterations indicates how many times to repeat the
Hmm, when attempting to add a nsec3param via nsupdate, I
get:
NSEC only DNSKEYs and NSEC3 chains not allowed
You have likely got RSASHA1 DNSKEY's. For RSASHA1, the DNSKEY with
NSEC3 support has a different algorithm number (for newer type keys,
like RSASHA256, these are no longer separate algorithm numbers).
You would need to roll over your key first to a new algorithm, NSEC3RSASHA1.
(or start from scratch with NSEC3RSASHA1 type DNSKEY's if this is
a testing zone)
By the way, unless your zone is very large (TLD size), NSEC3 will not
give you much extras, and it is recommended for small zones not to use
it to keep debugging easier on humans, and to avoid expensive hashing
on the resolvers.
Paul
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
