Detailed Steps:
1. Enable DNSSEC: If your zone isn't already DNSSEC-secured, you'll need to enable it in Our Panel GUI or using pdnsutil commands trough terminal.
2. Set NSEC3 Parameters: Use ZONE "[PARAMETERS]".
Code: Select all
pdnsutil set-nsec3 example.net '1 0 0 -' 'narrow'3. Rectify the Zone: After enabling NSEC3, it's recommended to rectify the zone to ensure proper NSEC3 record generation, especially with automatic serials and AXFR replication.
4. Verify: Use code below to verify the NSEC3 configuration and the zone's overall health.
Code: Select all
pdnsutil check-zoneCan use tool like DNSViz for external validation.
Explanation of NSEC3 Parameters:
The NSEC3 parameters (e.g., "1 0 0 -") are crucial for NSEC3 functionality:
Algorithm: Specifies the hash algorithm to be used (1 for SHA1, 2 for SHA256, etc.).
Iterations: Defines the number of hashing iterations. Best practice is to use 0 for the lowest computational overhead.
Salt: A random value used in the hashing process to improve security. A salt value of "-" or a hex string is commonly used.
Hash Length: The length of the resulting hash (usually 0 for SHA1, 32 for SHA256, etc.).
Important Considerations: NSEC3-narrow vs. NSEC3-broad:
PowerDNS supports both NSEC3 modes. NSEC3-narrow provides more security by using "white lies" to prevent zone enumeration, but it requires online signing capabilities and might be less compatible with AXFRs. NSEC3-broad relies on the database to provide NSEC3 records, which is the default mode.
Implicit Algorithm Upgrades: Be aware of implicit algorithm upgrades from RSASHA1 (algorithm 5) to RSASHA1-NSEC3-SHA1 (algorithm 7) when enabling NSEC3. This change can break zones if not handled correctly.
NSEC3 Salts: Some NSEC3 salts can lead to validation issues, so be careful when choosing salt values, especially if they are not the default "-".