Re: Bind and ZSK-Rollovers: Changing salt automatically?

2014-07-28 Thread Evan Hunt
> "rndc signing -nsec3param" can change your salt. Specifying "auto" > as the salt causes named to generate a salt at random. I forgot to mention that the "auto" feature is new in 9.10, not in older versions. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___

Re: Bind and ZSK-Rollovers: Changing salt automatically?

2014-07-28 Thread Johannes Kastl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28.07.14 19:09 Evan Hunt wrote: > On Mon, Jul 28, 2014 at 06:16:13PM +0200, Johannes Kastl wrote: >> So basically BIND cannot do that for me, each time it does a key >> rollover. That's what I wanted to know. > > "rndc signing -nsec3param" can ch

Re: Bind and ZSK-Rollovers: Changing salt automatically?

2014-07-28 Thread Evan Hunt
On Mon, Jul 28, 2014 at 06:16:13PM +0200, Johannes Kastl wrote: > > In the same cron job, it is then possible to create a new NSEC3 > > salt and inject that into the zone. > > So basically BIND cannot do that for me, each time it does a key > rollover. That's what I wanted to know. "rndc signing

Re: Bind and ZSK-Rollovers: Changing salt automatically?

2014-07-28 Thread Johannes Kastl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Carsten and all, sorry for the late reply. On 24.07.14 19:53 Carsten Strotmann wrote: > I'm not aware that BIND 9 can do a ZSK rollover all on its own, it > is however possible to set the timing values on the ZSK key files > in a away that BIND 9