NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)
Evan Hunt
each at isc.org
Tue Mar 6 07:55:39 UTC 2012
> According to the docs it should be possible to set NSEC3PARAM on the
> unsigned version when using inline-signer mode. The signing BIND 9.9
> should then decide to use NSEC3, which salt, opt-out, etc. based on this.
> I have tried this and could not get it to work. The only way to use NSEC3
> with the inline signer atm is to run 'rndc -nsec3param' once the zone has
> been configured. Any hints?
You should be able to use 'rndc signing -nsec3param' before the zone
is signed. It's working for me:
zone "example.nil" {
type master;
inline-signing yes;
auto-dnssec maintain;
file "example1.db";
};
$ rndc signing -nsec3param 1 0 10 BEEF example.nil
$ rndc signing -list example.nil
Pending NSEC3 chain 1 0 10 BEEF
$ dnssec-keygen -3 example.nil
Generating key pair.............................................++++++
......................++++++
Kexample.nil.+007+28952
$ dnssec-keygen -3fk example.nil
Generating key pair...................................................+++
..................................+++
Kexample.nil.+007+04053
$ rndc loadkeys example.nil
$ sbin/rndc signing -list example.nil
Done signing with key 4053/NSEC3RSASHA1
Done signing with key 28952/NSEC3RSASHA1
$ dig @localhost +short nsec3param example.nil
1 0 10 BEEF
--
Evan Hunt -- each at isc.orggg
Internet Systema Consortium, Inc.
More information about the bind-users
mailing list