[Opendnssec-develop] getting rid of HSM callsfrom the communicator

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Thu Sep 10 09:10:37 UTC 2009

Having a default salt in all OpenDNSSEC installations is bad practice I
think, because it would make a dictionary attack on all 'default'
OpenDNSSEC installations more feasible. It's trivial to include the
generation of a salt in the installation process, so why not do it? Or
even better, and still quite simple: why not generate a per zone salt
the first time you start signing a zone?

I see your argument about having re-sign and re-hash an entire zone by
generating new salts for all changes, but let's at least have some
differentiation between OpenDNSSEC installations by applying either of
the suggestion above.



Roy Arends wrote:
> Roland van Rijswijk wrote on 09/10/2009 09:55:21 AM:
>> +1, a default salt is a bad idea IMHO.
> Why?
> Nice that we're voting and all, but some text to back up a decision
> would be nice
> Kind regards,
> Roy Arends
> Sr. Researcher
> Nominet UK

-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list