From: Matthijs Mekking Date: Tue, 7 Jun 2022 08:23:47 +0000 (+0200) Subject: Use NSEC3 guidance values in nsec3 config examples X-Git-Tag: v9.19.3~30^2~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93601d83251efa13e9818215eadbb774e62551ab;p=thirdparty%2Fbind9.git Use NSEC3 guidance values in nsec3 config examples Use best practice values in examples that follow new guidance from draft-ietf-dnsop-nsec3-guidance: ; SHA-1, no extra iterations, empty salt: ; bcp.example. IN NSEC3PARAM 1 0 0 - --- diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index 98c70e0c49a..8e87aa4e690 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -160,14 +160,14 @@ To enable ``NSEC3``, add an ``nsec3param`` option to your DNSSEC Policy: :: dnssec-policy "nsec3" { - nsec3param iterations 5 optout yes salt-length 8; + nsec3param iterations 0 optout no salt-length 0; }; .. The ``nsec3`` policy above creates ``NSEC3`` records using the SHA-1 hash -algorithm, using 5 iterations and a salt that is 8 characters long. It also -skips insecure delegations. +algorithm, using zero extra iterations and no salt. ``optout`` is disabled, +meaning insecure delegations will also get an ``NSEC3`` record. The ``NSEC3`` chain is generated and the ``NSEC3PARAM`` record is added before the existing ``NSEC`` chain (if any) is destroyed.