Hello, I'm maintaining a rather big DNS zone - around 2.5 Megabytes in ASCII format, more than 40k records overall.
Authoritative server software is Bind. NSEC3PARAM in dnssec-policy was defined as: nsec3param optout yes salt-length 24; Today i decided to change it to: nsec3param optout yes; which according to defaults for my Bind version expands to: nsec3param iterations 5 optout yes salt-length 8; After issuing rndc reconfig for around 3 minutes my monitoring went crazy, sending notifications about dnssec errors, but checking the zone with DNSViz and DNSSEC Analyzer reporting that everything is normal. Using dig @server zone NSEC3PARAM at problematic time server didn't return NSEC3PARAM record, reporting it as missing. Three minutes later everything went normal. In the Bind log I see several zone transfers to slaves around every second. I presume that such a big zone can't be transferred in one part, which causes this behavior. My question to other maintainers of big zones - do you have such experience, and what is the correct way to update NSEC3 parameters in order to have a smooth transition? Best regards, Misak Khachatryan
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
