ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

grammer [RT #18679]

Browse Source
This commit is contained in:
Mark Andrews
2008-10-17 03:11:26 +00:00
parent f6a3a85c77
commit 703027d266
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
NSEC3-NOTES
View File

@@ -19,7 +19,7 @@ placing them in the key-directory as specified in named.conf.
key-directory "dynamic/example.net";
};
Assuming one KSK and ons ZSK DNSKEY key has been generated. Then
Assuming one KSK and one ZSK DNSKEY key have been generated. Then
this will cause the zone to be signed with the ZSK and the DNSKEY
RRset to be signed with the KSK DNSKEY. A NSEC chain will also be
generated as part of the initial signing process.
@@ -31,11 +31,11 @@ generated as part of the initial signing process.
> send
While the update request will complete almost immediately the zone
will not be completely signed until named has hand time to walk the
will not be completely signed until named has had time to walk the
zone and generate the NSEC and RRSIG records. Initially the NSEC
record at the zone apex will have the OPT bit set. When the NSEC
chain is complete the OPT bit will be cleared. Additionally when
the zone fully signed the private type (default TYPE65535) records
the zone is fully signed the private type (default TYPE65535) records
will have a non zero value for the final octet.
The private type record has 5 octets.
@@ -79,10 +79,10 @@ anchor repositories of the new KSK.
You should then wait for the maximum TLL in the zone before removing the
old DNSKEY. If it is a KSK that is being updated you also need to wait
for the DS RRset in the parent to be updated and its TTL to expire.
This ensures that all clients will be able to verify atleast a signature
This ensures that all clients will be able to verify at least a signature
when you remove the old DNSKEY.
The can be removed the old DNSKEY via UPDATE. Take care to specify
The old DNSKEY can be removed via UPDATE. Take care to specify
the correct key. Named will clean out any signatures generated by
the old key after the update completes.
@@ -108,7 +108,7 @@ NSEC chain will be generated before the NSEC3 chain is removed.
Converting from secure to insecure
To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
will be removed as will as associated NSEC3PARAM records. The will
will be removed as well as associated NSEC3PARAM records. This will
take place after the update requests completes.
Periodic re-signing.