NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Marco Davids (SIDN) marco.davids at sidn.nl
Wed Mar 7 08:50:07 UTC 2012 

Hi,

It is not possible to configure NSEC3 as a default in named.conf (on a
per zone basis), is it? I would welcome such a feature.

I also find it a bit strange that BIND decides to go for NSEC, even when
the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1).

Thanks.

--
Marco


On 03/07/12 00:10, Wolfgang Nagele wrote:
> Hi,
> 
> Ok that is already a bit better - at least saves a full sign with NSEC first. Wondering though, from a user perspective sending in NSEC3PARAM from the unsigned end seems like the most natural thing to do. Why complicate matters by having to use rndc here?
> 
> Cheers,
> 
> --
> Wolfgang Nagele
> Senior Systems and Network Administrator
> AusRegistry Pty Ltd
> Level 8, 10 Queens Road
> Melbourne, Victoria, Australia, 3004
> Phone +61 3 9090 1756
> Email: wolfgang.nagele at ausregistry.com.au
> Web: www.ausregistry.com.au
> 
> 
> The information contained in this communication is intended for the named recipients only. It is subject to copyright and may contain legally privileged and confidential information and if you are not an intended recipient you must not use, copy, distribute or take any action in reliance on it. If you have received this communication in error, please delete all copies from your system and notify us immediately.
> 
> On Mar 6, 2012, at 6:55 PM, Evan Hunt wrote:
> 
>>> According to the docs it should be possible to set NSEC3PARAM on the
>>> unsigned version when using inline-signer mode. The signing BIND 9.9
>>> should then decide to use NSEC3, which salt, opt-out, etc. based on this.
>>> I have tried this and could not get it to work. The only way to use NSEC3
>>> with the inline signer atm is to run 'rndc -nsec3param' once the zone has
>>> been configured. Any hints?
>>
>> You should be able to use 'rndc signing -nsec3param' before the zone
>> is signed.  It's working for me:
>>
>>    zone "example.nil" {
>>            type master;
>>            inline-signing yes;
>>            auto-dnssec maintain;
>>            file "example1.db";
>>    };
>>
>>
>>    $ rndc signing -nsec3param 1 0 10 BEEF example.nil
>>    $ rndc signing -list example.nil
>>    Pending NSEC3 chain 1 0 10 BEEF
>>    $ dnssec-keygen -3 example.nil
>>    Generating key pair.............................................++++++
>>    ......................++++++ 
>>    Kexample.nil.+007+28952
>>    $ dnssec-keygen -3fk example.nil
>>    Generating key pair...................................................+++
>>    ..................................+++ 
>>    Kexample.nil.+007+04053
>>    $ rndc loadkeys example.nil
>>    $ sbin/rndc signing -list example.nil
>>    Done signing with key 4053/NSEC3RSASHA1
>>    Done signing with key 28952/NSEC3RSASHA1
>>    $ dig @localhost +short nsec3param example.nil
>>    1 0 10 BEEF
>>
>> --
>> Evan Hunt -- each at isc.orggg
>> Internet Systema Consortium, Inc.
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list