Hi,
Ok that is already a bit better - at least saves a full sign with NSEC first.
Wondering though, from a user perspective sending in NSEC3PARAM from the
unsigned end seems like the most natural thing to do. Why complicate matters by
having to use rndc here?
Cheers,
--
Wolfgang Nagele
Senior Systems and Network Administrator
AusRegistry Pty Ltd
Level 8, 10 Queens Road
Melbourne, Victoria, Australia, 3004
Phone +61 3 9090 1756
Email: wolfgang.nag...@ausregistry.com.au
Web: www.ausregistry.com.au
The information contained in this communication is intended for the named
recipients only. It is subject to copyright and may contain legally privileged
and confidential information and if you are not an intended recipient you must
not use, copy, distribute or take any action in reliance on it. If you have
received this communication in error, please delete all copies from your system
and notify us immediately.
On Mar 6, 2012, at 6:55 PM, Evan Hunt wrote:
>> According to the docs it should be possible to set NSEC3PARAM on the
>> unsigned version when using inline-signer mode. The signing BIND 9.9
>> should then decide to use NSEC3, which salt, opt-out, etc. based on this.
>> I have tried this and could not get it to work. The only way to use NSEC3
>> with the inline signer atm is to run 'rndc -nsec3param' once the zone has
>> been configured. Any hints?
>
> You should be able to use 'rndc signing -nsec3param' before the zone
> is signed. It's working for me:
>
> zone "example.nil" {
> type master;
> inline-signing yes;
> auto-dnssec maintain;
> file "example1.db";
> };
>
>
> $ rndc signing -nsec3param 1 0 10 BEEF example.nil
> $ rndc signing -list example.nil
> Pending NSEC3 chain 1 0 10 BEEF
> $ dnssec-keygen -3 example.nil
> Generating key pair.............................................++++++
> ......................++++++
> Kexample.nil.+007+28952
> $ dnssec-keygen -3fk example.nil
> Generating key pair...................................................+++
> ..................................+++
> Kexample.nil.+007+04053
> $ rndc loadkeys example.nil
> $ sbin/rndc signing -list example.nil
> Done signing with key 4053/NSEC3RSASHA1
> Done signing with key 28952/NSEC3RSASHA1
> $ dig @localhost +short nsec3param example.nil
> 1 0 10 BEEF
>
> --
> Evan Hunt -- each@isc.orggg
> Internet Systema Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
