rndc signing -nsec3param
Mark Elkins
mje at posix.co.za
Sun Aug 12 18:33:25 UTC 2012
Have a look in the BIND log files when you are doing this....
Look for lines containing: zone_addnsec3chain
for example, try changing just the salt...
(which is something one might do periodically...)
It all starts to make more sense.
I agree with the original posting thought - some more examples might
make this all much clearer.
On Sun, 2012-08-12 at 17:40 +0000, Evan Hunt wrote:
> On Sun, Aug 12, 2012 at 01:17:11AM +0800, GS Bryan wrote:
> > looks like this: 'rndc signing -nsec3param 1 0 10 FFFF example.com'
> > means:-
> > - SHA-1 is used for hashing.
> > - opt-out is turned off.
> > - iteration is done 10 times.
> > - the FFFF is the salt.
> > Am I right? So what kind of command I should enter if I were to use
> > SHA-256 for hashing, opt-out is turned on, iteration is done 15 times,
> > and salt is FFFFFF?
> > Does it looks like this: 'rndc signing -nsec3param 2 1 15 FFFFFF example.com'?
>
> SHA-256 is not (yet?) a defined hash algorithm for NSEC3, so the "hash"
> argument can only currently be set to 1. (It would be nice if you could
> just omit it completely, since it's invariant, but we may add other hashes
> to NSEC3 in the future and had to allow for that.)
>
> The "flags" field may someday contain more values than just opt-out, too,
> but right now that's the only defined flag, and it's the low-order bit
> in the field, which is to say 1. So you set opt-out by setting flags to
> 1, and you unset it by setting flags to 0.
>
> There's a known bug with the "salt" field -- it's supposed to allow you
> to omit the salt by using a hyphen ('-') instead of a salt, but that
> doesn't work in "rndc signing -nsec3param". This will be be fixed
> in 9.9.2.
>
> The order and format of arguments given here precisely matches those in the
> NSEC3PARAM RR type. For example right now .ORG has NSEC3PARAM set to:
>
> org. 900 IN NSEC3PARAM 1 0 1 D399EAAB
>
> To duplicate that you'd use "rndc signing -nsec3param 1 0 1 D399EAAB <zone>".
>
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120812/47488ffa/attachment.bin>
More information about the bind-users
mailing list