> The first one, can I configure multiple key directories? The reasoning > for this is that I would like to seperate the KSK's from the ZSK's.
No, you can't... but that's an interesting idea. Right now it's a single key directory per zone. > The second question. I've tried doing a resalt using dynamic updates > but I can't get it to work. Just adding a new NSEC3PARAM RR crashes > Bind and doing a delete and then a add (to replace the present RR) > gives me a servfail but I see the updats in the log. > What is the correct way to do a resalt when using automatic signing ? The way it's supposed to work is: you add the new NSEC3PARAM record, then wait for the new NSEC3 chain to be built. The newly inserted record will, at first, have its "flags" field set to a nonzero value; this indicates that the chain isn't complete yet. When the server is finished building the chain, it updates the newly-added NSEC3PARAM record, and zeroes the flags field. At that point, it's safe to remove the old NSEC3PARAM record, which will cause the server to remove the old NSEC3 chain. If inserting a new NSEC3PARAM RR is crashing named, please file a bug report. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users