rndc signing -nsec3param

Evan Hunt each at isc.org
Sun Aug 12 17:40:39 UTC 2012

On Sun, Aug 12, 2012 at 01:17:11AM +0800, GS Bryan wrote:
> looks like this: 'rndc signing -nsec3param 1 0 10 FFFF example.com'
> means:-
> - SHA-1 is used for hashing.
> - opt-out is turned off.
> - iteration is done 10 times.
> - the FFFF is the salt.
> Am I right? So what kind of command I should enter if I were to use
> SHA-256 for hashing, opt-out is turned on, iteration is done 15 times,
> and salt is FFFFFF?
> Does it looks like this: 'rndc signing -nsec3param 2 1 15 FFFFFF example.com'?

SHA-256 is not (yet?) a defined hash algorithm for NSEC3, so the "hash"
argument can only currently be set to 1.  (It would be nice if you could
just omit it completely, since it's invariant, but we may add other hashes
to NSEC3 in the future and had to allow for that.)

The "flags" field may someday contain more values than just opt-out, too,
but right now that's the only defined flag, and it's the low-order bit
in the field, which is to say 1.  So you set opt-out by setting flags to
1, and you unset it by setting flags to 0.

There's a known bug with the "salt" field -- it's supposed to allow you
to omit the salt by using a hyphen ('-') instead of a salt, but that
doesn't work in "rndc signing -nsec3param".  This will be be fixed
in 9.9.2.

The order and format of arguments given here precisely matches those in the
NSEC3PARAM RR type. For example right now .ORG has NSEC3PARAM set to:

org.                    900     IN      NSEC3PARAM 1 0 1 D399EAAB

To duplicate that you'd use "rndc signing -nsec3param 1 0 1 D399EAAB <zone>".

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list