[dns-operations] signing a zone with NSEC3 records.

Jeremy C. Reed reed at reedmedia.net
Wed Sep 9 19:51:20 UTC 2009

On Wed, 9 Sep 2009, Ravi Kondamuru wrote:

> I am trying to sign a zone and use NSEC3 instead of NSEC.
> I used the NSECRSASHA1 as the algorithm when generating the keys. I see that
> the algorithm value is "7".
> However when I sign the zone it still generates NSEC records in the file.

NSECRSASHA1 allows for NSEC too. And dnssec-signzone defaults to NSEC.
Did you use dnssec-signzone -3 option?

> Is there some place I can look for the steps to generate NSEC3 signed zone?
> I see there are 3 additional options in dnssign-zone: -3 salt (NSEC3 salt), 
> -H iterations (NSEC3 iterations) and -A (NSEC3 optout).
> how do I generate the "salt" file?

(I can't find "dnssign-zone".)

RFC 5155 says the length is 0 to 255 octets and is a "sequence of 
case-insensitive hexadecimal digits" (without whitespace) and it is used 
to "defend against pre-calculated dictionary attacks." The salt is a hex 
encoded string. Or you can use "-" (dash) to mean to not use a salt.

How you generate it depends on your system. Some examples:

  printf "%x" `echo $RANDOM`

  dd if=/dev/urandom bs=16 count=1 2>/dev/null | hexdump -e \"%08x\"

(I won't discuss how "random" these are, they are just examples.)

Signing example:

dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 1024 foo
cat Kfoo.+007+*.key >> foo
(be sure to remove the 005 DNSKEY from your zone)
dnssec-signzone -P -3 - foo
dnssec-signzone -P -3 ABCDEF foo

More information about the dns-operations mailing list