Enforce NSEC3 for DNSSEC

[bionicman]

NSEC has a zone records disclosure fundamental vulnerability. It would be nice to add methods for NSEC3 zone enforcements and edit NSEC3 params. For pdns 4.1 it is a stock ability.

[thomas-pike]

I would certainly like to be able to provide access to these parameters for you, but to be honest here, I have absolutely no experience with implementing DNSSEC myself, so when it comes to these matters I am mostly going by what I have been able to read about, plus some helpful advice I have been given (eg. in #57). I know that the PowerDNS API gives access to the nsec3param (string) and nsec3narrow (boolean) zone parameters, but I don't know if these are the parameters you are looking to edit and/or how these should be presented in the UI. What I can say is that we are limited by what the API allows us to edit, as all interaction between DNS UI and PowerDNS is done though the API.

[bionicman]

I would start with the equivalent of pdnsutil set-nsec3 ZONE and pdnsutil unset-nsec3 ZONE, but maybe they are not in pdns API.

https://doc.powerdns.com/authoritative/dnssec/operational.html

[thomas-pike]

Okay, I'm guessing the nsec3param property is exactly what we need to use then, thanks.

[TigerP]

The set-nsec3 documentation in the pdnsutil manual page gives information what the values for the NSEC3PARAMS could be. I hope this helps.

[cmmacneill53]

Any update on when this will be implemented in dns-ui?

The PowerDNS API appears to have the appropriate functionality, e.g. Zones endpoint includes parameters 'nsec3param(string)' and 'nsec3narrow(boolean)'. Taking a look at pdnsutils source code would likely give guidance on what information is required via API to replicate CLI functions.

The GUI is great, but currently I need to do a manual pdnsutil call to set NSEC3 on each zone. After a long period of testing DNSSEC we're soon going to implement on all our zones and would be nice if dns-ui supported NSEC3 natively.