[Opendnssec-user] Multiple NSEC3 in signconf?

Rick van Rein rick at openfortress.nl
Tue Jan 25 09:36:49 UTC 2011


I was looking for the DTD or XML Schema describing the .signconf
files, but failed to find them?

Anyway, it's semantics, not just syntax I'm interested in:

Can we manually specify multiple NSEC3 parameter sections in
.signconf files, and if we do, will the Signer create multiple
NSEC3 portions of our zones?  Will it be done quickly, or
somehow spread over time?

Background: We are preparing to migrate from shared-key policies
   to non-sharing, as our HSM vendor is opening up their licenses
   to support that form.  It'd be best to do that with uninterrupted
   DNSSEC, and found a method for doing this by manually merging the
   .signconf to an intermediate format.  Adding keys is clear, but
   NSEC3 is not.


More information about the Opendnssec-user mailing list