From sca at andreasschulze.de Sun Nov 8 21:22:35 2015 From: sca at andreasschulze.de (A. Schulze) Date: Sun, 08 Nov 2015 22:22:35 +0100 Subject: [ldns-users] NSEC3PARAM added by ldns-signzone Message-ID: <20151108222235.Horde.3qxqbJG07tLYX9j3lVS4sK6@andreasschulze.de> Hello, The NSEC3PARAM added by ldns-signzone -n -s $salt -t $num_iterations always have a TTL of 1h. Is it possible / useful to set the TTL ? ( ldns-1.6.17 ) Andreas From msheldon at godaddy.com Fri Nov 13 15:16:56 2015 From: msheldon at godaddy.com (Michael J. Sheldon) Date: Fri, 13 Nov 2015 15:16:56 +0000 Subject: [ldns-users] NSEC3PARAM added by ldns-signzone In-Reply-To: <20151108222235.Horde.3qxqbJG07tLYX9j3lVS4sK6@andreasschulze.de> References: <20151108222235.Horde.3qxqbJG07tLYX9j3lVS4sK6@andreasschulze.de> Message-ID: >From looking at the code, the NSEC3PARAM record is created in ldns_dnssec_zone_sign_nsec3_flg_mkmap, and does not explicitly set the TTL, which is set from ldns_rr_new_frm_type, which uses LDNS_DEFAULT_TTL, which is 3600. This is different from the NSEC3 records, which are created using the SOA Minimum field for the TTL. Not sure how if it will work with the command line app, but ldns_dnssec_zone_sign_nsec3_flg_mkmap will leave an existing NSEC3PARAM alone instead of creating a new one, so you could try that. just be sure the parameters in the record match those you pass to ldns-signzone Michael Sheldon Dev-DNS Services GoDaddy.com ________________________________________ From: ldns-users on behalf of A. Schulze Sent: Sunday, November 8, 2015 14:22 To: ldns-users at open.nlnetlabs.nl Subject: [ldns-users] NSEC3PARAM added by ldns-signzone Hello, The NSEC3PARAM added by ldns-signzone -n -s $salt -t $num_iterations always have a TTL of 1h. Is it possible / useful to set the TTL ? ( ldns-1.6.17 ) Andreas _______________________________________________ ldns-users mailing list ldns-users at open.nlnetlabs.nl http://open.nlnetlabs.nl/mailman/listinfo/ldns-users From sca at andreasschulze.de Fri Nov 13 21:10:06 2015 From: sca at andreasschulze.de (A. Schulze) Date: Fri, 13 Nov 2015 22:10:06 +0100 Subject: [ldns-users] NSEC3PARAM added by ldns-signzone In-Reply-To: References: <20151108222235.Horde.3qxqbJG07tLYX9j3lVS4sK6@andreasschulze.de> Message-ID: <564651AE.10700@andreasschulze.de> Am 13.11.2015 um 16:16 schrieb Michael J. Sheldon: > From looking at the code, the NSEC3PARAM record is created in ldns_dnssec_zone_sign_nsec3_flg_mkmap, and does not explicitly set the TTL, which is set from ldns_rr_new_frm_type, which uses LDNS_DEFAULT_TTL, which is 3600. > > This is different from the NSEC3 records, which are created using the SOA Minimum field for the TTL. > > Not sure how if it will work with the command line app, but ldns_dnssec_zone_sign_nsec3_flg_mkmap will leave an existing NSEC3PARAM alone instead of creating a new one, so you could try that. just be sure the parameters in the record match those you pass to ldns-signzone Micheal, Adding NSEC3PARAM to ldns-sign-zone INPUT+COMMANDLINE was a good idea. it work. SALT='random' ROUNDS=2 echo "example.org 180 IN NSEC3PARAM 1 0 $ROUNS $SALT" >> zone2sign ldns-signzone ... -s $SALF -t $ROUNDS zone2sign ... Strange: I use "ldns-read-zone -S +$DELTA" to set a new SOA serial before signing. but using -S also imply -s which strip all DNSSEC date from input :-/ Finally more general question: which TTL for NSEC3PARAM make sense? I saw domains using a TTL 0 !? Andreas From matthijs at pletterpet.nl Mon Nov 16 07:36:04 2015 From: matthijs at pletterpet.nl (Matthijs Mekking) Date: Mon, 16 Nov 2015 08:36:04 +0100 Subject: [ldns-users] NSEC3PARAM added by ldns-signzone In-Reply-To: <564651AE.10700@andreasschulze.de> References: <20151108222235.Horde.3qxqbJG07tLYX9j3lVS4sK6@andreasschulze.de> <564651AE.10700@andreasschulze.de> Message-ID: <56498764.3060504@pletterpet.nl> Andreas, On 13-11-15 22:10, A. Schulze wrote: > > > Am 13.11.2015 um 16:16 schrieb Michael J. Sheldon: >> From looking at the code, the NSEC3PARAM record is created in >> ldns_dnssec_zone_sign_nsec3_flg_mkmap, and does not explicitly set the >> TTL, which is set from ldns_rr_new_frm_type, which uses >> LDNS_DEFAULT_TTL, which is 3600. >> >> This is different from the NSEC3 records, which are created using the >> SOA Minimum field for the TTL. >> >> Not sure how if it will work with the command line app, but >> ldns_dnssec_zone_sign_nsec3_flg_mkmap will leave an existing >> NSEC3PARAM alone instead of creating a new one, so you could try that. >> just be sure the parameters in the record match those you pass to >> ldns-signzone > > Micheal, > > Adding NSEC3PARAM to ldns-sign-zone INPUT+COMMANDLINE was a good idea. > it work. > > SALT='random' > ROUNDS=2 > echo "example.org 180 IN NSEC3PARAM 1 0 $ROUNS $SALT" >> zone2sign > ldns-signzone ... -s $SALF -t $ROUNDS zone2sign ... > > Strange: I use "ldns-read-zone -S +$DELTA" to set a new SOA serial > before signing. > but using -S also imply -s which strip all DNSSEC date from input :-/ > > Finally more general question: which TTL for NSEC3PARAM make sense? > I saw domains using a TTL 0 !? TTL of 0 seems like a good value for NSEC3PARAM as the record is not meant to be used by validators or resolvers. However, 0 has a nasty side effect for some resolver implementations doing ANY queries: None of the retrieved RRsets would be cached (because resolvers should take the lowest TTL of the RRset). The lowest TTL used in your apex would thus be a good value for NSEC3PARAM to overcome that side effect. I actually think that 3600 is a good default. Best regards, Matthijs > > Andreas > > _______________________________________________ > ldns-users mailing list > ldns-users at open.nlnetlabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/ldns-users