David Sherman <dsher...@bluecatnetworks.com> wrote: > > If dynamic signing is used with BIND 9.8, what is the recommended > procedure to switch from NSEC3-signed zone to NSEC-signed without > changing existing DNSKEYs (currently RSA/SHA-512 algorithms are used for > both ZSK and KSK)? Any specific options for dnssec-signzone?
Use nsupdate to delete the NSEC3PARAM record - see http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch04.html#id2563909 If you are using dynamic signing then you aren't using dnssec-signzone. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users