2012/11/9 Peter Andreev <andreev.pe...@gmail.com>: > 2012/11/9 Tony Finch <d...@dotat.at>: >> Peter Andreev <andreev.pe...@gmail.com> wrote: >>> >>> We signed another zone and met the same problem again. The only >>> difference is algorithm - now it is RSASHA256. >>> >>> > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we >>> > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. >>> > Recently we realised that our servers don't generate NSEC3 for signed >>> > zone. >>> > Problem has gone after we restarted BIND instances. >>> >>> We are using views, could it be related? >> >> Did you add an NSEC3PARAM record? > > Yes, we did. >
Actually without restart, servers didn't generate neither NSEC3, nor NSEC. >> >> The signing algorithms that support NSEC3 use NSEC by default unless the >> zone has an NSEC3PARAM record. >> >> Tony. >> -- >> f.anthony.n.finch <d...@dotat.at> http://dotat.at/ >> Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. >> Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, >> occasionally poor at first. > > > > -- > AP -- AP _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users