From: Matt Nordhoff <mnordhoff@mattnordhoff.com>
Date: Sat, 28 Oct 2017 08:18:17 +0000 (+0000)
Subject: Document pdnsutil set-nsec3 with no salt ("1 0 0 -")
X-Git-Tag: rec-4.1.0-rc2~3^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F5872%2Fhead;p=thirdparty%2Fpdns.git

Document pdnsutil set-nsec3 with no salt ("1 0 0 -")
---

diff --git a/docs/dnssec/operational.rst b/docs/dnssec/operational.rst
index fcde9b1bef..100e284c08 100644
--- a/docs/dnssec/operational.rst
+++ b/docs/dnssec/operational.rst
@@ -52,7 +52,7 @@ The quoted part is the content of the NSEC3PARAM records, as defined in
    set as ``0``
 -  Number of iterations of the hash function, read :rfc:`RFC 5155, Section
    10.3 <5155#section-10.3>` for recommendations
--  Salt (in hexadecimal) to apply during hashing
+-  Salt to apply during hashing, in hexadecimal, or ``-`` to use no salt
 
 To convert a zone from NSEC3 to NSEC operations, run:
 
diff --git a/docs/manpages/pdnsutil.1.rst b/docs/manpages/pdnsutil.1.rst
index 6a346e6d58..6cc19d116c 100644
--- a/docs/manpages/pdnsutil.1.rst
+++ b/docs/manpages/pdnsutil.1.rst
@@ -88,13 +88,13 @@ set-nsec3 *ZONE* '*HASH-ALGORITHM* *FLAGS* *ITERATIONS* *SALT*' [**narrow**]
     know you need it. For *ITERATIONS*, please consult RFC 5155, section
     10.3. And be aware that a high number might overload validating
     resolvers. The *SALT* is a hexadecimal string encoding the bits for
-    the salt. Setting **narrow** will make PowerDNS send out "white
-    lies" about the next secure record. Instead of looking it up in the
-    database, it will send out the hash + 1 as the next secure record. A
-    sample commandline is: "pdnsutil set-nsec3 powerdnssec.org '1 1 1
-    ab' narrow". **WARNING**: If running in RSASHA1 mode (algorithm 5 or
-    7), switching from NSEC to NSEC3 will require a DS update in the
-    parent zone.
+    the salt, or - to use no salt. Setting **narrow** will make PowerDNS
+    send out "white lies" about the next secure record. Instead of
+    looking it up in the database, it will send out the hash + 1 as the
+    next secure record. A sample commandline is: "pdnsutil set-nsec3
+    powerdnssec.org '1 1 1 ab' narrow". **WARNING**: If running in
+    RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will
+    require a DS update in the parent zone.
 unset-nsec3 *ZONE*
     Converts *ZONE* to NSEC operations. **WARNING**: If running in
     RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will