nsec3 in bind 9.7

Evan Hunt each at isc.org
Sat Feb 20 00:31:38 UTC 2010


>    If you wish to sign using NSEC3 instead of NSEC, you should add an
>    NSEC3PARAM record to the initial update request. If you wish the NSEC3
>    chain to have the OPTOUT bit set, set it in the flags field of the
>    NSEC3PARAM record.
>         % nsupdate
>         > ttl 3600
> --- cut dnskey stuff ---
>         > update add example.net NSEC3PARAM 1 1 100 1234567890
>         > send
> 
> But it doesn't explain what all those param values do. I
> just want nsec3 so the zone cannot be walked from the outside.
> Not sure what optout is or what that 1234567890 is doing.

Sorry the doc was unclear there.  If it's convenient, would you please
send that as a bug report to bind9-bugs at isc.org?  We'll revist the
doc in a future release.

To answer the question, those values are the NSEC3PARAM data for the zone,
as defined in RFC 5155.

In order, they are hash algorithm, flags, iterations, and salt.  Hash
algorithm of 1 means use SHA-1 for hashing names; flags of 1 means opt-out
and 0 means no opt-out; iterations indicates how many times to repeat the
hash function (and personally I wouldn't recommend that many); salt is
a chunk of binary data (represented in hexidecimal) that gets appended to
the name before hashing it.

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the bind-users mailing list