[Opendnssec-develop] getting rid of HSM callsfrom the communicator

Rick van Rein rick at openfortress.nl
Thu Sep 10 09:09:13 UTC 2009


> > It would seem the better option to me too to generate the salt at 
> > system installation/first startup.
> Why?

Salt is used to make dictionary attacks harder, and the more generic
a dictionary can be used, the more likely such an attack becomes.
So, in order to be less predictable, salts must be changed as often
as is practical, ideally every time before using it.

Installing a system with the same salt everywhere is exactly as good
as not salting at all.


More information about the Opendnssec-develop mailing list