[Opendnssec-develop] getting rid of HSM callsfrom the communicator

sion at nominet.org.uk sion at nominet.org.uk
Mon Sep 21 09:16:06 UTC 2009


> > > To be clear, the default (well, the example xml) already specifies a

> > > random salt, of length 8, and resalts every 100 days.
> >
> > I agree with Roy here, but I see no point in changing this at this
> > time - it would just confuse people.

Sorry I'm coming a bit late to this party. I just want to clear up how the
salt works currently, to make sure that we are all happy with it.

There is no default salt... only a default length for the salt (in
kasp.xml). The salt is per _policy_; i.e. all zones on the same policy will
have the same salt. That salt is generated the first time the communicator
sees that policy, and every <Resalt> after that. (We do not tell the signer
that the salt has changed though, is that okay?)

Sion




More information about the Opendnssec-develop mailing list