On 05/02/2014 18:54, David Newman wrote: > The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every > time a zone's ZSK changes. > > Is this just a matter of a new 'rndc signing' command, or is some action > needed to remove the old salt? > > thanks > > dn
rndc signing -nsec3param ... I would expect the old NSEC3 chain and old NSEC3PARAM record to be removed, once the new chain is in place. (Similarly, the new NSEC3PARAM record will not appear in the zone until the new NSEC3 chain has been completely generated). Cathy _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users