Am Freitag, den 26.06.2015, 09:53 +0200 schrieb Peter J. Philipp: > I can't find the -3 - option to generate NSEC3 RR's with > dnssec-signzone. Am I reading the manual page wrong or is this a > missing feature? If it is I'll probably leave NSEC3 out.
That's because old OpenBSD used an old version of ISC Bind (and thus an old version of dnssec-tools). Solution 1 (ISC): Get a newer version of bind from ports. You do not need to use the bind itself, it's the /usr/local/bin/dnssec-signzone, you're looking for. Solution 2 (NLnet Labs): Get ldns from ports. Cheers David