Hi,
Sorry to hijack this older thread, but..
rndc signing -nsec3param ...
I would expect the old NSEC3 chain and old NSEC3PARAM record to be
removed, once the new chain is in place.
(Similarly, the new NSEC3PARAM record will not appear in the zone until
the new NSEC3 chain has been completely generated).
This isn't quite what I see with inline-signing on 9.9.5:
If I switch from NSEC to NSEC3, my zone continues to have an NSEC chain
until the moment it has an NSEC3 chain.
If I replace an existing NSEC3 chain with a new salt, I seem to lose a
load of RRSIGs, and there are no NSEC or NSEC3 records until the
operation completes!! For example, the are no signatures on the
DNSKEYs, which feels like a disaster.
Am I doing something wrong? I hope so!
Graham
--
Graham Clinch
Systems Programmer,
Lancaster University
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
