[Opendnssec-user] Multiple NSEC3 in signconf?
Rick van Rein
rick at openfortress.nl
Tue Jan 25 09:36:49 UTC 2011
I was looking for the DTD or XML Schema describing the .signconf
files, but failed to find them?
Anyway, it's semantics, not just syntax I'm interested in:
Can we manually specify multiple NSEC3 parameter sections in
.signconf files, and if we do, will the Signer create multiple
NSEC3 portions of our zones? Will it be done quickly, or
somehow spread over time?
Background: We are preparing to migrate from shared-key policies
to non-sharing, as our HSM vendor is opening up their licenses
to support that form. It'd be best to do that with uninterrupted
DNSSEC, and found a method for doing this by manually merging the
.signconf to an intermediate format. Adding keys is clear, but
NSEC3 is not.
More information about the Opendnssec-user