rndc signing -nsec3param
mje at posix.co.za
Sun Aug 12 18:33:25 UTC 2012
Have a look in the BIND log files when you are doing this....
Look for lines containing: zone_addnsec3chain
for example, try changing just the salt...
(which is something one might do periodically...)
It all starts to make more sense.
I agree with the original posting thought - some more examples might
make this all much clearer.
On Sun, 2012-08-12 at 17:40 +0000, Evan Hunt wrote:
> On Sun, Aug 12, 2012 at 01:17:11AM +0800, GS Bryan wrote:
> > looks like this: 'rndc signing -nsec3param 1 0 10 FFFF example.com'
> > means:-
> > - SHA-1 is used for hashing.
> > - opt-out is turned off.
> > - iteration is done 10 times.
> > - the FFFF is the salt.
> > Am I right? So what kind of command I should enter if I were to use
> > SHA-256 for hashing, opt-out is turned on, iteration is done 15 times,
> > and salt is FFFFFF?
> > Does it looks like this: 'rndc signing -nsec3param 2 1 15 FFFFFF example.com'?
> SHA-256 is not (yet?) a defined hash algorithm for NSEC3, so the "hash"
> argument can only currently be set to 1. (It would be nice if you could
> just omit it completely, since it's invariant, but we may add other hashes
> to NSEC3 in the future and had to allow for that.)
> The "flags" field may someday contain more values than just opt-out, too,
> but right now that's the only defined flag, and it's the low-order bit
> in the field, which is to say 1. So you set opt-out by setting flags to
> 1, and you unset it by setting flags to 0.
> There's a known bug with the "salt" field -- it's supposed to allow you
> to omit the salt by using a hyphen ('-') instead of a salt, but that
> doesn't work in "rndc signing -nsec3param". This will be be fixed
> in 9.9.2.
> The order and format of arguments given here precisely matches those in the
> NSEC3PARAM RR type. For example right now .ORG has NSEC3PARAM set to:
> org. 900 IN NSEC3PARAM 1 0 1 D399EAAB
> To duplicate that you'd use "rndc signing -nsec3param 1 0 1 D399EAAB <zone>".
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4007 bytes
Desc: not available
More information about the bind-users