upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Use NSEC3 guidance values in nsec3 config examples

Browse source 
Use best practice values in examples that follow new guidance from
draft-ietf-dnsop-nsec3-guidance:

   ; SHA-1, no extra iterations, empty salt:
   ;
   bcp.example. IN NSEC3PARAM 1 0 0 -

(cherry picked from commit 93601d8325)
This commit is contained in:
Matthijs Mekking 2022-06-07 10:23:47 +02:00
parent ef9dcad036
commit 72ad0ed7cf
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
doc/arm/dnssec.inc.rst
View file

@ -160,14 +160,14 @@ To enable ``NSEC3``, add an ``nsec3param`` option to your DNSSEC Policy:
::
dnssec-policy "nsec3" {
nsec3param iterations 5 optout yes salt-length 8;
nsec3param iterations 0 optout no salt-length 0;
};
..
The ``nsec3`` policy above creates ``NSEC3`` records using the SHA-1 hash
algorithm, using 5 iterations and a salt that is 8 characters long. It also
skips insecure delegations.
algorithm, using zero extra iterations and no salt. ``optout`` is disabled,
meaning insecure delegations will also get an ``NSEC3`` record.
The ``NSEC3`` chain is generated and the ``NSEC3PARAM`` record is added before
the existing ``NSEC`` chain (if any) is destroyed.