On Mon, Mar 10, 2014 at 12:38:34PM +0000, Graham Clinch wrote: > This isn't quite what I see with inline-signing on 9.9.5: > > If I switch from NSEC to NSEC3, my zone continues to have an NSEC chain > until the moment it has an NSEC3 chain. > > If I replace an existing NSEC3 chain with a new salt, I seem to lose a > load of RRSIGs, and there are no NSEC or NSEC3 records until the > operation completes!! For example, the are no signatures on the > DNSKEYs, which feels like a disaster.
That's certainly not what's supposed to happen, and it isn't the behavior I'm seeing. What should happen is: - the old NSEC3PARAM is removed - a private-type record is created, indicating that a new NSEC3 chain is being created - all the new NSEC3 records are added to the zone - the new NSEC3PARAM is created - all the old NSEC3 records are removed from the zone - the private-type record is cleaned up Looking at the journal file with named-journalprint confirms that's what's happening on my test system. How are you doing your tests? -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users