Hi,
It is not possible to configure NSEC3 as a default in named.conf (on a
per zone basis), is it? I would welcome such a feature.
I also find it a bit strange that BIND decides to go for NSEC, even when
the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1).
Thanks.
--
Marco
On 03/07/12 00:10, Wolfgang Nagele wrote:
> Hi,
>
> Ok that is already a bit better - at least saves a full sign with NSEC first.
> Wondering though, from a user perspective sending in NSEC3PARAM from the
> unsigned end seems like the most natural thing to do. Why complicate matters
> by having to use rndc here?
>
> Cheers,
>
> --
> Wolfgang Nagele
> Senior Systems and Network Administrator
> AusRegistry Pty Ltd
> Level 8, 10 Queens Road
> Melbourne, Victoria, Australia, 3004
> Phone +61 3 9090 1756
> Email: wolfgang.nag...@ausregistry.com.au
> Web: www.ausregistry.com.au
>
>
> The information contained in this communication is intended for the named
> recipients only. It is subject to copyright and may contain legally
> privileged and confidential information and if you are not an intended
> recipient you must not use, copy, distribute or take any action in reliance
> on it. If you have received this communication in error, please delete all
> copies from your system and notify us immediately.
>
> On Mar 6, 2012, at 6:55 PM, Evan Hunt wrote:
>
>>> According to the docs it should be possible to set NSEC3PARAM on the
>>> unsigned version when using inline-signer mode. The signing BIND 9.9
>>> should then decide to use NSEC3, which salt, opt-out, etc. based on this.
>>> I have tried this and could not get it to work. The only way to use NSEC3
>>> with the inline signer atm is to run 'rndc -nsec3param' once the zone has
>>> been configured. Any hints?
>>
>> You should be able to use 'rndc signing -nsec3param' before the zone
>> is signed. It's working for me:
>>
>> zone "example.nil" {
>> type master;
>> inline-signing yes;
>> auto-dnssec maintain;
>> file "example1.db";
>> };
>>
>>
>> $ rndc signing -nsec3param 1 0 10 BEEF example.nil
>> $ rndc signing -list example.nil
>> Pending NSEC3 chain 1 0 10 BEEF
>> $ dnssec-keygen -3 example.nil
>> Generating key pair.............................................++++++
>> ......................++++++
>> Kexample.nil.+007+28952
>> $ dnssec-keygen -3fk example.nil
>> Generating key pair...................................................+++
>> ..................................+++
>> Kexample.nil.+007+04053
>> $ rndc loadkeys example.nil
>> $ sbin/rndc signing -list example.nil
>> Done signing with key 4053/NSEC3RSASHA1
>> Done signing with key 28952/NSEC3RSASHA1
>> $ dig @localhost +short nsec3param example.nil
>> 1 0 10 BEEF
>>
>> --
>> Evan Hunt -- each@isc.orggg
>> Internet Systema Consortium, Inc.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
