[Opendnssec-develop] Config question

sion at nominet.org.uk sion at nominet.org.uk
Tue Aug 4 09:01:10 UTC 2009

> > kasp.rnc says:
> > - ---
> > # The actual salt is generated by the Enforcer
> > # Note: the enforcer may decide to store the
> > # current salt in the DB and so it could be exported
> > # here.
> > xsd:string?
> > - ---
> >
> > Is Enforcer doing this? Then it should just be to parse the kasp.xml
> it may store it here at export, but it should normally not be here (as
> it is generated by the Enforcer).
> we'll just let the Auditor read the SignerConfiguration for the salt.

Should we ever look to store the salt in the kasp.xml, either on export or
not? As it changes its value then you could argue that it is not really
part of the policy.

My slight concern here is that we have a value in kasp.xml that doesn't
change and so gets out of sync with the SignerConfiguration.

A slight aside, any salt in the kasp.xml is ignored by ksmutil; so there is
no way to set an initial value. This means that you will have trouble
importing an existing NSEC3 zone without some database hacking. (I can add
a "ksmutil setsalt salt [policy]" command to overcome this.)


More information about the Opendnssec-develop mailing list