[dns-operations] signing a zone with NSEC3 records.

Jeremy C. Reed reed at reedmedia.net
Thu Sep 10 19:33:47 UTC 2009

On Thu, 10 Sep 2009, Ravi Kondamuru wrote:

> # 5. sign the zone with both the keys and opt for NSEC3 by using option -3:
> does not generate a signed domain.
> # indicates error: NSEC3 generation requested with NSEC only DNSKEY

dnssec-signzone is coded with the opinion that it is pointless to sign 
with both. If you have both, NSEC3 doesn't offer anything.

(Can someone comment about having NSEC and NSEC3 in same zone when 

More information about the dns-operations mailing list