Skip to end of metadata
Go to start of metadata

Symptom:

this article is an extentions to the article "manage DNSSEC zones with BIND and the Men & Mice Suite" (manage DNSSEC zones with BIND and the Men & Mice Suite). It describes how to sign dynamic zones in BIND 9 generating NSEC3 instead of NSEC records.

Problem:

Changes to Step 2:

in step 2, you need to generate keys that support the NSEC3 signing. Examples are NSEC3RSASHA1 or RSASHA256
bash#  sudo dnssec-keygen -K /var/named/dnssec-keys -a NSEC3RSASHA1 -b 1024 nsec3.example.net
Generating key pair....++++++ ...................++++++
Knsec3.example.net.+007+46379

bash#  sudo dnssec-keygen -f KSK -K /var/named/dnssec-keys -a NSEC3RSASHA1 -b 4096 nsec3.example.net
Generating key pair........................++ .....................................................++
Knsec3.example.net.+007+34554

Changes to Step 3:

Follow the steps in the original article until the end of step 3.

Open the Zone and enter a NSEC3PARAM resource record to the zone. The existence of a NSEC3PARAM resource record will trigger the creation of NSEC3 records instead of NSEC when the zone is being signed.



now follow the steps in the original article.