> - use algo 7 with NSEC allows you to move to NSEC3 without much hassle > (but older resolvers won't validate your replies meanwhile) > > - use algo 5 with NSEC and you have to do a algorithm rollover first > when you want to move to NSEC3 (but meanwhile, older resolvers will > validate your replies).
Yes, exactly. > Are there still any 'older' resolvers around? Maybe not... Fewer and fewer, and they mostly aren't using DNSSEC. (They can't validate the root zone, after all.) But after some discussion last year, we still felt it was too soon to update the default algorithm in dnssec-keygen. Maybe in 9.10. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
