[dns-operations] signing a zone with NSEC3 records.
Jeremy C. Reed
reed at reedmedia.net
Thu Sep 10 19:33:47 UTC 2009
On Thu, 10 Sep 2009, Ravi Kondamuru wrote:
> # 5. sign the zone with both the keys and opt for NSEC3 by using option -3:
> does not generate a signed domain.
> # indicates error: NSEC3 generation requested with NSEC only DNSKEY
dnssec-signzone is coded with the opinion that it is pointless to sign
with both. If you have both, NSEC3 doesn't offer anything.
(Can someone comment about having NSEC and NSEC3 in same zone when
transitioning?)
More information about the dns-operations
mailing list