.. code-block:: shell
- pdnsutil set-nsec3 example.net '1 0 1 ab'
+ pdnsutil set-nsec3 example.net '1 0 0 -'
The quoted part is the content of the NSEC3PARAM records, as defined in
:rfc:`5155 <5155#section-4>`, in order:
NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the
NSEC3PARAM record. If present, NSEC3 is used, if not present, zones
default to NSEC. See ``set-nsec3`` in :doc:`pdnsutil <dnssec/pdnsutil>`.
-Example content: "1 0 1 ab".
+Example content: "1 0 0 -".
.. _metadata-presigned:
it will send out the hash + 1 as the next secure record. Narrow mode
requires online signing capabilities by the nameserver and therefore
zone transfers are denied. If only the zone is provided as argument,
- the 4-parameter quoted string defaults to ``'1 0 1 ab'``. A sample
+ the 4-parameter quoted string defaults to ``'1 0 0 -'``. A sample
commandline is: ``pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' narrow``.
**WARNING**: If running in RSASHA1 mode (algorithm 5 or 7), switching
from NSEC to NSEC3 will require a DS update in the parent zone.
If you still have ``@`` signs in any SOA RNAMEs, 4.6.0 will serve those out literally.
You can find any stray ``@`` signs by running ``pdnsutil check-all-zones``.
+New default NSEC3 parameters
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Following `draft-ietf-dnsop-nsec3-guidance (Guidance for NSEC3 parameter settings) <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance>`__, the default NSEC3PARAM settings (see :ref:`dnssec-operational-nsec-modes-params`) in pdnsutil are now `1 0 0 -` instead of `1 0 1 ab`.
+
4.4.x to 4.5.0
--------------
cerr<<"Syntax: pdnsutil set-nsec3 ZONE 'params' [narrow]"<<endl;
return 0;
}
- string nsec3params = cmds.size() > 2 ? cmds.at(2) : "1 0 1 ab";
+ string nsec3params = cmds.size() > 2 ? cmds.at(2) : "1 0 0 -";
bool narrow = cmds.size() > 3 && cmds.at(3) == "narrow";
NSEC3PARAMRecordContent ns3pr(nsec3params);
projects / thirdparty / pdns.git / commitdiff
