Setting NSEC3 for a new zone
Posted: Wed Jun 04, 2025 3:07 am
To enable NSEC3 for a zone in PowerDNS, use the pdnsutil set-nsec3 command, followed by the zone name and the desired NSEC3 parameters. You can also switch between NSEC and NSEC3 within the GUI interface, where you can also manage DNSSEC settings and keys.
Detailed Steps:
1. Enable DNSSEC: If your zone isn't already DNSSEC-secured, you'll need to enable it in Our Panel GUI or using pdnsutil commands trough terminal.
2. Set NSEC3 Parameters: Use ZONE "[PARAMETERS]".
The parameters (e.g., "1 0 0 -") define the hashing algorithm and other NSEC3 settings.
3. Rectify the Zone: After enabling NSEC3, it's recommended to rectify the zone to ensure proper NSEC3 record generation, especially with automatic serials and AXFR replication.
4. Verify: Use code below to verify the NSEC3 configuration and the zone's overall health.
Can use tool like DNSViz for external validation.
Explanation of NSEC3 Parameters:
The NSEC3 parameters (e.g., "1 0 0 -") are crucial for NSEC3 functionality:
Algorithm: Specifies the hash algorithm to be used (1 for SHA1, 2 for SHA256, etc.).
Iterations: Defines the number of hashing iterations. Best practice is to use 0 for the lowest computational overhead.
Salt: A random value used in the hashing process to improve security. A salt value of "-" or a hex string is commonly used.
Hash Length: The length of the resulting hash (usually 0 for SHA1, 32 for SHA256, etc.).
Important Considerations: NSEC3-narrow vs. NSEC3-broad:
PowerDNS supports both NSEC3 modes. NSEC3-narrow provides more security by using "white lies" to prevent zone enumeration, but it requires online signing capabilities and might be less compatible with AXFRs. NSEC3-broad relies on the database to provide NSEC3 records, which is the default mode.
Implicit Algorithm Upgrades: Be aware of implicit algorithm upgrades from RSASHA1 (algorithm 5) to RSASHA1-NSEC3-SHA1 (algorithm 7) when enabling NSEC3. This change can break zones if not handled correctly.
NSEC3 Salts: Some NSEC3 salts can lead to validation issues, so be careful when choosing salt values, especially if they are not the default "-".
Detailed Steps:
1. Enable DNSSEC: If your zone isn't already DNSSEC-secured, you'll need to enable it in Our Panel GUI or using pdnsutil commands trough terminal.
2. Set NSEC3 Parameters: Use ZONE "[PARAMETERS]".
Code: Select all
pdnsutil set-nsec3 example.net '1 0 0 -' 'narrow'
3. Rectify the Zone: After enabling NSEC3, it's recommended to rectify the zone to ensure proper NSEC3 record generation, especially with automatic serials and AXFR replication.
4. Verify: Use code below to verify the NSEC3 configuration and the zone's overall health.
Code: Select all
pdnsutil check-zone
Can use tool like DNSViz for external validation.
Explanation of NSEC3 Parameters:
The NSEC3 parameters (e.g., "1 0 0 -") are crucial for NSEC3 functionality:
Algorithm: Specifies the hash algorithm to be used (1 for SHA1, 2 for SHA256, etc.).
Iterations: Defines the number of hashing iterations. Best practice is to use 0 for the lowest computational overhead.
Salt: A random value used in the hashing process to improve security. A salt value of "-" or a hex string is commonly used.
Hash Length: The length of the resulting hash (usually 0 for SHA1, 32 for SHA256, etc.).
Important Considerations: NSEC3-narrow vs. NSEC3-broad:
PowerDNS supports both NSEC3 modes. NSEC3-narrow provides more security by using "white lies" to prevent zone enumeration, but it requires online signing capabilities and might be less compatible with AXFRs. NSEC3-broad relies on the database to provide NSEC3 records, which is the default mode.
Implicit Algorithm Upgrades: Be aware of implicit algorithm upgrades from RSASHA1 (algorithm 5) to RSASHA1-NSEC3-SHA1 (algorithm 7) when enabling NSEC3. This change can break zones if not handled correctly.
NSEC3 Salts: Some NSEC3 salts can lead to validation issues, so be careful when choosing salt values, especially if they are not the default "-".