[dns-operations] signing a zone with NSEC3 records.
Jeremy C. Reed
reed at reedmedia.net
Wed Sep 9 19:51:20 UTC 2009
On Wed, 9 Sep 2009, Ravi Kondamuru wrote:
> I am trying to sign a zone and use NSEC3 instead of NSEC.
> I used the NSECRSASHA1 as the algorithm when generating the keys. I see that
> the algorithm value is "7".
> However when I sign the zone it still generates NSEC records in the file.
NSECRSASHA1 allows for NSEC too. And dnssec-signzone defaults to NSEC.
Did you use dnssec-signzone -3 option?
> Is there some place I can look for the steps to generate NSEC3 signed zone?
> I see there are 3 additional options in dnssign-zone: -3 salt (NSEC3 salt),
> -H iterations (NSEC3 iterations) and -A (NSEC3 optout).
> how do I generate the "salt" file?
(I can't find "dnssign-zone".)
RFC 5155 says the length is 0 to 255 octets and is a "sequence of
case-insensitive hexadecimal digits" (without whitespace) and it is used
to "defend against pre-calculated dictionary attacks." The salt is a hex
encoded string. Or you can use "-" (dash) to mean to not use a salt.
How you generate it depends on your system. Some examples:
printf "%x" `echo $RANDOM`
dd if=/dev/urandom bs=16 count=1 2>/dev/null | hexdump -e \"%08x\"
(I won't discuss how "random" these are, they are just examples.)
dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 1024 foo
cat Kfoo.+007+*.key >> foo
(be sure to remove the 005 DNSKEY from your zone)
dnssec-signzone -P -3 - foo
dnssec-signzone -P -3 ABCDEF foo
More information about the dns-operations