[ldns-users] NSEC3PARAM added by ldns-signzone
A. Schulze
sca at andreasschulze.de
Fri Nov 13 21:10:06 UTC 2015
Am 13.11.2015 um 16:16 schrieb Michael J. Sheldon:
> From looking at the code, the NSEC3PARAM record is created in ldns_dnssec_zone_sign_nsec3_flg_mkmap, and does not explicitly set the TTL, which is set from ldns_rr_new_frm_type, which uses LDNS_DEFAULT_TTL, which is 3600.
>
> This is different from the NSEC3 records, which are created using the SOA Minimum field for the TTL.
>
> Not sure how if it will work with the command line app, but ldns_dnssec_zone_sign_nsec3_flg_mkmap will leave an existing NSEC3PARAM alone instead of creating a new one, so you could try that. just be sure the parameters in the record match those you pass to ldns-signzone
Micheal,
Adding NSEC3PARAM to ldns-sign-zone INPUT+COMMANDLINE was a good idea.
it work.
SALT='random'
ROUNDS=2
echo "example.org 180 IN NSEC3PARAM 1 0 $ROUNS $SALT" >> zone2sign
ldns-signzone ... -s $SALF -t $ROUNDS zone2sign ...
Strange: I use "ldns-read-zone -S +$DELTA" to set a new SOA serial before signing.
but using -S also imply -s which strip all DNSSEC date from input :-/
Finally more general question: which TTL for NSEC3PARAM make sense?
I saw domains using a TTL 0 !?
Andreas
More information about the ldns-users
mailing list