NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Wolfgang Nagele wolfgang.nagele at ausregistry.com.au
Tue Mar 6 23:10:04 UTC 2012 

Hi,

Ok that is already a bit better - at least saves a full sign with NSEC first. Wondering though, from a user perspective sending in NSEC3PARAM from the unsigned end seems like the most natural thing to do. Why complicate matters by having to use rndc here?

Cheers,

--
Wolfgang Nagele
Senior Systems and Network Administrator
AusRegistry Pty Ltd
Level 8, 10 Queens Road
Melbourne, Victoria, Australia, 3004
Phone +61 3 9090 1756
Email: wolfgang.nagele at ausregistry.com.au
Web: www.ausregistry.com.au


The information contained in this communication is intended for the named recipients only. It is subject to copyright and may contain legally privileged and confidential information and if you are not an intended recipient you must not use, copy, distribute or take any action in reliance on it. If you have received this communication in error, please delete all copies from your system and notify us immediately.

On Mar 6, 2012, at 6:55 PM, Evan Hunt wrote:

>> According to the docs it should be possible to set NSEC3PARAM on the
>> unsigned version when using inline-signer mode. The signing BIND 9.9
>> should then decide to use NSEC3, which salt, opt-out, etc. based on this.
>> I have tried this and could not get it to work. The only way to use NSEC3
>> with the inline signer atm is to run 'rndc -nsec3param' once the zone has
>> been configured. Any hints?
> 
> You should be able to use 'rndc signing -nsec3param' before the zone
> is signed.  It's working for me:
> 
>    zone "example.nil" {
>            type master;
>            inline-signing yes;
>            auto-dnssec maintain;
>            file "example1.db";
>    };
> 
> 
>    $ rndc signing -nsec3param 1 0 10 BEEF example.nil
>    $ rndc signing -list example.nil
>    Pending NSEC3 chain 1 0 10 BEEF
>    $ dnssec-keygen -3 example.nil
>    Generating key pair.............................................++++++
>    ......................++++++ 
>    Kexample.nil.+007+28952
>    $ dnssec-keygen -3fk example.nil
>    Generating key pair...................................................+++
>    ..................................+++ 
>    Kexample.nil.+007+04053
>    $ rndc loadkeys example.nil
>    $ sbin/rndc signing -list example.nil
>    Done signing with key 4053/NSEC3RSASHA1
>    Done signing with key 28952/NSEC3RSASHA1
>    $ dig @localhost +short nsec3param example.nil
>    1 0 10 BEEF
> 
> --
> Evan Hunt -- each at isc.orggg
> Internet Systema Consortium, Inc.

More information about the bind-users mailing list