From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Fri, 19 Nov 2021 11:56:39 +0000 (+0100)
Subject: auth: new default nsec3param settings, fixes #10864
X-Git-Tag: dnsdist-1.7.0-beta2~8^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F11012%2Fhead;p=thirdparty%2Fpdns.git

auth: new default nsec3param settings, fixes #10864
---

diff --git a/docs/dnssec/operational.rst b/docs/dnssec/operational.rst
index 7eee2930d0..a2de3b928d 100644
--- a/docs/dnssec/operational.rst
+++ b/docs/dnssec/operational.rst
@@ -44,7 +44,7 @@ e.g.
 
 .. code-block:: shell
 
-    pdnsutil set-nsec3 example.net '1 0 1 ab'
+    pdnsutil set-nsec3 example.net '1 0 0 -'
 
 The quoted part is the content of the NSEC3PARAM records, as defined in
 :rfc:`5155 <5155#section-4>`, in order:
diff --git a/docs/domainmetadata.rst b/docs/domainmetadata.rst
index a515c5f93f..ff4fb4b3f4 100644
--- a/docs/domainmetadata.rst
+++ b/docs/domainmetadata.rst
@@ -152,7 +152,7 @@ NSEC3PARAM
 NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the
 NSEC3PARAM record. If present, NSEC3 is used, if not present, zones
 default to NSEC. See ``set-nsec3`` in :doc:`pdnsutil <dnssec/pdnsutil>`.
-Example content: "1 0 1 ab".
+Example content: "1 0 0 -".
 
 .. _metadata-presigned:
 
diff --git a/docs/manpages/pdnsutil.1.rst b/docs/manpages/pdnsutil.1.rst
index 6c59f1651a..ca086d6112 100644
--- a/docs/manpages/pdnsutil.1.rst
+++ b/docs/manpages/pdnsutil.1.rst
@@ -103,7 +103,7 @@ set-nsec3 *ZONE* ['*HASH-ALGORITHM* *FLAGS* *ITERATIONS* *SALT*'] [**narrow**]
     it will send out the hash + 1 as the next secure record. Narrow mode
     requires online signing capabilities by the nameserver and therefore
     zone transfers are denied. If only the zone is provided as argument,
-    the 4-parameter quoted string defaults to ``'1 0 1 ab'``. A sample
+    the 4-parameter quoted string defaults to ``'1 0 0 -'``. A sample
     commandline is: ``pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' narrow``.
     **WARNING**: If running in RSASHA1 mode (algorithm 5 or 7), switching
     from NSEC to NSEC3 will require a DS update in the parent zone.
diff --git a/docs/upgrading.rst b/docs/upgrading.rst
index 93e31abb62..b754d09d70 100644
--- a/docs/upgrading.rst
+++ b/docs/upgrading.rst
@@ -21,6 +21,11 @@ In 4.6.0, this automatic conversion is fully removed.
 If you still have ``@`` signs in any SOA RNAMEs, 4.6.0 will serve those out literally.
 You can find any stray ``@`` signs by running ``pdnsutil check-all-zones``.
 
+New default NSEC3 parameters
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Following `draft-ietf-dnsop-nsec3-guidance (Guidance for NSEC3 parameter settings) <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance>`__, the default NSEC3PARAM settings (see :ref:`dnssec-operational-nsec-modes-params`) in pdnsutil are now `1 0 0 -` instead of `1 0 1 ab`.
+
 4.4.x to 4.5.0
 --------------
 
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index 13a5bfb80f..da2e60e7ab 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -3020,7 +3020,7 @@ try
       cerr<<"Syntax: pdnsutil set-nsec3 ZONE 'params' [narrow]"<<endl;
       return 0;
     }
-    string nsec3params = cmds.size() > 2 ? cmds.at(2) : "1 0 1 ab";
+    string nsec3params = cmds.size() > 2 ? cmds.at(2) : "1 0 0 -";
     bool narrow = cmds.size() > 3 && cmds.at(3) == "narrow";
     NSEC3PARAMRecordContent ns3pr(nsec3params);