Have a look in the BIND log files when you are doing this.... Look for lines containing: zone_addnsec3chain
for example, try changing just the salt... (which is something one might do periodically...) It all starts to make more sense. I agree with the original posting thought - some more examples might make this all much clearer. On Sun, 2012-08-12 at 17:40 +0000, Evan Hunt wrote: > On Sun, Aug 12, 2012 at 01:17:11AM +0800, GS Bryan wrote: > > looks like this: 'rndc signing -nsec3param 1 0 10 FFFF example.com' > > means:- > > - SHA-1 is used for hashing. > > - opt-out is turned off. > > - iteration is done 10 times. > > - the FFFF is the salt. > > Am I right? So what kind of command I should enter if I were to use > > SHA-256 for hashing, opt-out is turned on, iteration is done 15 times, > > and salt is FFFFFF? > > Does it looks like this: 'rndc signing -nsec3param 2 1 15 FFFFFF > > example.com'? > > SHA-256 is not (yet?) a defined hash algorithm for NSEC3, so the "hash" > argument can only currently be set to 1. (It would be nice if you could > just omit it completely, since it's invariant, but we may add other hashes > to NSEC3 in the future and had to allow for that.) > > The "flags" field may someday contain more values than just opt-out, too, > but right now that's the only defined flag, and it's the low-order bit > in the field, which is to say 1. So you set opt-out by setting flags to > 1, and you unset it by setting flags to 0. > > There's a known bug with the "salt" field -- it's supposed to allow you > to omit the salt by using a hyphen ('-') instead of a salt, but that > doesn't work in "rndc signing -nsec3param". This will be be fixed > in 9.9.2. > > The order and format of arguments given here precisely matches those in the > NSEC3PARAM RR type. For example right now .ORG has NSEC3PARAM set to: > > org. 900 IN NSEC3PARAM 1 0 1 D399EAAB > > To duplicate that you'd use "rndc signing -nsec3param 1 0 1 D399EAAB <zone>". > -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users