The DNSSEC public key cryptography in BIND 9.3.2 is
not backward compatible. If security is enabled for a zone using the
previous DNSSEC feature, the zone must be reconfigured for the new
DNSSEC feature by generating keys, signing the zone with the newly
generated key, and distributing the new public key.
The DNSSEC functionality in BIND 9.3.2 is tested only
with OpenSSL version A.00.09.07. This functionality may differ with
other versions of OpenSSL.