[dns-operations] signing a zone with NSEC3 records.
ravikondamuru at gmail.com
Thu Sep 10 18:12:15 UTC 2009
> It is not clear which mode of operation DNS servers should be
> > configured to operate in:
> At least for BIND and NSD, there is nothing to configure, they accept
> both and serve both (otherwise, it would be an operational nightmare).
> > My understanding so far is a DNS server cannot be run in a mixed
> > (supporting both NSEC and NSEC3) mode.
> That's not true.
I was trying to confirm that on an authoritative server, a zone cannot at
the same time be configured to serve out both NSEC and NSEC3 records.
I understand that on an authoritative server ZoneA can be signed using
RSASHA1 algorithm and ZoneB using RSASHA1-NSEC3-SHA1, but it is not possible
to have ZoneC signed using both RSASHA1 and RSASHA1-NSEC3-SHA1. ZoneC has to
choose one of the two.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations