[ldns-users] NSEC3PARAM added by ldns-signzone

Matthijs Mekking matthijs at pletterpet.nl
Mon Nov 16 07:36:04 UTC 2015


Andreas,

On 13-11-15 22:10, A. Schulze wrote:
> 
> 
> Am 13.11.2015 um 16:16 schrieb Michael J. Sheldon:
>>  From looking at the code, the NSEC3PARAM record is created in
>> ldns_dnssec_zone_sign_nsec3_flg_mkmap, and does not explicitly set the
>> TTL, which is set from ldns_rr_new_frm_type, which uses
>> LDNS_DEFAULT_TTL, which is 3600.
>>
>> This is different from the NSEC3 records, which are created using the
>> SOA Minimum field for the TTL.
>>
>> Not sure how if it will work with the command line app, but 
>> ldns_dnssec_zone_sign_nsec3_flg_mkmap will leave an existing
>> NSEC3PARAM alone instead of creating a new one, so you could try that.
>> just be sure the parameters in the record match those you pass to
>> ldns-signzone
> 
> Micheal,
> 
> Adding NSEC3PARAM to ldns-sign-zone INPUT+COMMANDLINE was a good idea.
> it work.
> 
>   SALT='random'
>   ROUNDS=2
>   echo "example.org 180 IN NSEC3PARAM 1 0 $ROUNS $SALT" >> zone2sign
>   ldns-signzone ... -s $SALF -t $ROUNDS zone2sign ...
> 
> Strange: I use "ldns-read-zone -S +$DELTA" to set a new SOA serial
> before signing.
> but using -S also imply -s which strip all DNSSEC date from input :-/
> 
> Finally more general question: which TTL for NSEC3PARAM make sense?
> I saw domains using a TTL 0 !?

TTL of 0 seems like a good value for NSEC3PARAM as the record is not
meant to be used by validators or resolvers.

However, 0 has a nasty side effect for some resolver implementations
doing ANY queries: None of the retrieved RRsets would be cached (because
resolvers should take the lowest TTL of the RRset).

The lowest TTL used in your apex would thus be a good value for
NSEC3PARAM to overcome that side effect. I actually think that 3600 is a
good default.

Best regards,
  Matthijs


> 
> Andreas
> 
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users




More information about the ldns-users mailing list