Thank you, Mark Is it safe to keep -u option for dnssec-signzone in all cases, regardless of current actual NSEC/NSEC3 chains.
Thanks, David -----Original Message----- From: Mark Andrews [mailto:ma...@isc.org] Sent: February-14-13 3:23 PM To: David Sherman Cc: bind-us...@isc.org Subject: Re: NSEC3/NSEC transition In message <CB52CF69EC353F4FBC9BA1581123C72E1C73D14C@TORMBXW01.bluecatnetworks. corp>, David Sherman writes: > Hi, > > If dynamic signing is used with BIND 9.8, what is the recommended > procedure t o switch from NSEC3-signed zone to NSEC-signed without > changing existing DNSK EYs (currently RSA/SHA-512 algorithms are used for > both ZSK and KSK)? > Any specific options for dnssec-signzone? Throw the signed zone imn a editor. Remove all the NSEC3 records. Remove the NSEC3PARAM records. Sign the zone but DO NOT use -3 or -H. If you don't specify a salt or iterations then a NSEC chain will be built instead of a NSEC3 chain. For a dynamic zone just remove all NSEC3PARAM records. named will do the rest. > Thanks, > David > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
