[dns-operations] signing a zone with NSEC3 records.

Ravi Kondamuru ravikondamuru at gmail.com
Wed Sep 9 20:57:37 UTC 2009

Thanks for your reply.

I have been able to sign the zone with the steps you mentioned.
I am using bind 9.6.1-P1 and there is no "-P" option in it.
I removed that and dnssec-signzone created a signed zone.

It looks like NSEC3 is a draft but .gov seems to be still using NSEC3. It is
not clear which mode of operation DNS servers should be configured to
operate in: NSEC (till NSEC3 becomes a standard) or NSEC3. My understanding
so far is a DNS server cannot be run in a mixed (supporting both NSEC and
NSEC3) mode.

Any thoughts on that in this forum?


On Wed, Sep 9, 2009 at 12:51 PM, Jeremy C. Reed <reed at reedmedia.net> wrote:

> On Wed, 9 Sep 2009, Ravi Kondamuru wrote:
> > I am trying to sign a zone and use NSEC3 instead of NSEC.
> > I used the NSECRSASHA1 as the algorithm when generating the keys. I see
> that
> > the algorithm value is "7".
> > However when I sign the zone it still generates NSEC records in the file.
> NSECRSASHA1 allows for NSEC too. And dnssec-signzone defaults to NSEC.
> Did you use dnssec-signzone -3 option?
> > Is there some place I can look for the steps to generate NSEC3 signed
> zone?
> >
> > I see there are 3 additional options in dnssign-zone: -3 salt (NSEC3
> salt),
> > -H iterations (NSEC3 iterations) and -A (NSEC3 optout).
> > how do I generate the "salt" file?
> (I can't find "dnssign-zone".)
> RFC 5155 says the length is 0 to 255 octets and is a "sequence of
> case-insensitive hexadecimal digits" (without whitespace) and it is used
> to "defend against pre-calculated dictionary attacks." The salt is a hex
> encoded string. Or you can use "-" (dash) to mean to not use a salt.
> How you generate it depends on your system. Some examples:
>  printf "%x" `echo $RANDOM`
>  dd if=/dev/urandom bs=16 count=1 2>/dev/null | hexdump -e \"%08x\"
> (I won't discuss how "random" these are, they are just examples.)
> Signing example:
> dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 1024 foo
> cat Kfoo.+007+*.key >> foo
> (be sure to remove the 005 DNSKEY from your zone)
> dnssec-signzone -P -3 - foo
>   or
> dnssec-signzone -P -3 ABCDEF foo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090909/6644c271/attachment.html>

More information about the dns-operations mailing list