Re: rndc signing -nsec3param
Have a look in the BIND log files when you are doing this
Look for lines containing: zone_addnsec3chain
for example, try changing just the salt...
(which is something one might do periodically...)
It all starts to make more sense.
I agree with the original posting thought - some more examples might
make this all much clearer.
On Sun, 2012-08-12 at 17:40 +, Evan Hunt wrote:
> On Sun, Aug 12, 2012 at 01:17:11AM +0800, GS Bryan wrote:
> > looks like this: 'rndc signing -nsec3param 1 0 10 example.com'
> > means:-
> > - SHA-1 is used for hashing.
> > - opt-out is turned off.
> > - iteration is done 10 times.
> > - the is the salt.
> > Am I right? So what kind of command I should enter if I were to use
> > SHA-256 for hashing, opt-out is turned on, iteration is done 15 times,
> > and salt is FF?
> > Does it looks like this: 'rndc signing -nsec3param 2 1 15 FF
> > example.com'?
>
> SHA-256 is not (yet?) a defined hash algorithm for NSEC3, so the "hash"
> argument can only currently be set to 1. (It would be nice if you could
> just omit it completely, since it's invariant, but we may add other hashes
> to NSEC3 in the future and had to allow for that.)
>
> The "flags" field may someday contain more values than just opt-out, too,
> but right now that's the only defined flag, and it's the low-order bit
> in the field, which is to say 1. So you set opt-out by setting flags to
> 1, and you unset it by setting flags to 0.
>
> There's a known bug with the "salt" field -- it's supposed to allow you
> to omit the salt by using a hyphen ('-') instead of a salt, but that
> doesn't work in "rndc signing -nsec3param". This will be be fixed
> in 9.9.2.
>
> The order and format of arguments given here precisely matches those in the
> NSEC3PARAM RR type. For example right now .ORG has NSEC3PARAM set to:
>
> org.900 IN NSEC3PARAM 1 0 1 D399EAAB
>
> To duplicate that you'd use "rndc signing -nsec3param 1 0 1 D399EAAB ".
>
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc signing -nsec3param
On Sun, Aug 12, 2012 at 01:17:11AM +0800, GS Bryan wrote:
> looks like this: 'rndc signing -nsec3param 1 0 10 example.com'
> means:-
> - SHA-1 is used for hashing.
> - opt-out is turned off.
> - iteration is done 10 times.
> - the is the salt.
> Am I right? So what kind of command I should enter if I were to use
> SHA-256 for hashing, opt-out is turned on, iteration is done 15 times,
> and salt is FFFFFF?
> Does it looks like this: 'rndc signing -nsec3param 2 1 15 FF example.com'?
SHA-256 is not (yet?) a defined hash algorithm for NSEC3, so the "hash"
argument can only currently be set to 1. (It would be nice if you could
just omit it completely, since it's invariant, but we may add other hashes
to NSEC3 in the future and had to allow for that.)
The "flags" field may someday contain more values than just opt-out, too,
but right now that's the only defined flag, and it's the low-order bit
in the field, which is to say 1. So you set opt-out by setting flags to
1, and you unset it by setting flags to 0.
There's a known bug with the "salt" field -- it's supposed to allow you
to omit the salt by using a hyphen ('-') instead of a salt, but that
doesn't work in "rndc signing -nsec3param". This will be be fixed
in 9.9.2.
The order and format of arguments given here precisely matches those in the
NSEC3PARAM RR type. For example right now .ORG has NSEC3PARAM set to:
org.900 IN NSEC3PARAM 1 0 1 D399EAAB
To duplicate that you'd use "rndc signing -nsec3param 1 0 1 D399EAAB ".
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc signing -nsec3param
On Sun, Aug 12, 2012 at 11:43:47AM +0800, GS Bryan wrote: > On Sun, Aug 12, 2012 at 2:15 AM, Nate Itkin wrote: > > On Sun, Aug 12, 2012 at 01:17:11AM +0800, GS Bryan wrote: > >> How to exactly use the 'rndc signing -nsec3param' command? > >> The usage seems to be 'rndc signing -nsec3param >> name>', but even the ARM doesn't say anything about what > >> exactly looks like. > >> But from what I've glean from Uncle Google, an example command that > >> looks like this: 'rndc signing -nsec3param 1 0 10 example.com' > >> means:- > >> - SHA-1 is used for hashing. > >> - opt-out is turned off. > >> - iteration is done 10 times. > >> - the is the salt. > >> Am I right? So what kind of command I should enter if I were to use > >> SHA-256 for hashing, opt-out is turned on, iteration is done 15 times, > >> and salt is FF? > >> Does it looks like this: 'rndc signing -nsec3param 2 1 15 FF > >> example.com' ? > >> > >> -- > >> Bryan S.G. > > > > > > Yes. See "man nsec3hash" > > > > -- > > Nate Itkin > > Oh, but from the manpage, it says only SHA-1 is supported for hashing, > is that correct? No other algorithms? > -- > Bryan S.G. AFAIK at this time. See RFC 5155 (http://tools.ietf.org/rfc/rfc5155.txt). -- Nate Itkin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc signing -nsec3param
On Sun, Aug 12, 2012 at 2:15 AM, Nate Itkin wrote: > On Sun, Aug 12, 2012 at 01:17:11AM +0800, GS Bryan wrote: >> How to exactly use the 'rndc signing -nsec3param' command? >> The usage seems to be 'rndc signing -nsec3param > name>', but even the ARM doesn't say anything about what >> exactly looks like. >> But from what I've glean from Uncle Google, an example command that >> looks like this: 'rndc signing -nsec3param 1 0 10 example.com' >> means:- >> - SHA-1 is used for hashing. >> - opt-out is turned off. >> - iteration is done 10 times. >> - the is the salt. >> Am I right? So what kind of command I should enter if I were to use >> SHA-256 for hashing, opt-out is turned on, iteration is done 15 times, >> and salt is FF? >> Does it looks like this: 'rndc signing -nsec3param 2 1 15 FF >> example.com' ? >> >> -- >> Bryan S.G. > > > Yes. See "man nsec3hash" > > -- > Nate Itkin Oh, but from the manpage, it says only SHA-1 is supported for hashing, is that correct? No other algorithms? -- Bryan S.G. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc signing -nsec3param
On Sun, Aug 12, 2012 at 01:17:11AM +0800, GS Bryan wrote: > How to exactly use the 'rndc signing -nsec3param' command? > The usage seems to be 'rndc signing -nsec3param name>', but even the ARM doesn't say anything about what > exactly looks like. > But from what I've glean from Uncle Google, an example command that > looks like this: 'rndc signing -nsec3param 1 0 10 example.com' > means:- > - SHA-1 is used for hashing. > - opt-out is turned off. > - iteration is done 10 times. > - the is the salt. > Am I right? So what kind of command I should enter if I were to use > SHA-256 for hashing, opt-out is turned on, iteration is done 15 times, > and salt is FF? > Does it looks like this: 'rndc signing -nsec3param 2 1 15 FF example.com' > ? > > -- > Bryan S.G. Yes. See "man nsec3hash" -- Nate Itkin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc signing -nsec3param
How to exactly use the 'rndc signing -nsec3param' command? The usage seems to be 'rndc signing -nsec3param ', but even the ARM doesn't say anything about what exactly looks like. But from what I've glean from Uncle Google, an example command that looks like this: 'rndc signing -nsec3param 1 0 10 example.com' means:- - SHA-1 is used for hashing. - opt-out is turned off. - iteration is done 10 times. - the is the salt. Am I right? So what kind of command I should enter if I were to use SHA-256 for hashing, opt-out is turned on, iteration is done 15 times, and salt is FF? Does it looks like this: 'rndc signing -nsec3param 2 1 15 FF example.com' ? -- Bryan S.G. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
