[dns-operations] signing a zone with NSEC3 records.

Ravi Kondamuru ravikondamuru at gmail.com
Wed Sep 9 18:32:29 UTC 2009


I am trying to sign a zone and use NSEC3 instead of NSEC.
I used the NSECRSASHA1 as the algorithm when generating the keys. I see that
the algorithm value is "7".
However when I sign the zone it still generates NSEC records in the file.
Is there some place I can look for the steps to generate NSEC3 signed zone?

I see there are 3 additional options in dnssign-zone: -3 salt (NSEC3 salt),
-H iterations (NSEC3 iterations) and -A (NSEC3 optout).
how do I generate the "salt" file?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090909/563eec64/attachment.html>

More information about the dns-operations mailing list