On Sun, Feb 13, 2011 at 11:07:31AM +0100, Stephane Bortzmeyer <bortzme...@nic.fr> wrote a message of 35 lines which said:
> Here is a master server BIND 9.7.1-P2 (with patches for PKCS#11 and > the AEP keyper HSM), with DNSSEC enabled, dynamically signing > records. ... > at least in the second case, it was when updating a DNSKEY record > (an old ZSK was retired). I was not very clear, sorry: all provisioning is done (DNSKEY included) with dynamic updates. BIND is therefore responsible for keeping the NSEC3 chain (we use opt-out, by the way), and for signing, although the actual crypto is done by an AEP Keyper HSM. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users