[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?

Jerry Lundström jerry at opendnssec.org
Wed Sep 18 14:08:00 UTC 2013

Hi all,

I'm working on a plugin ( https://github.com/jelu/lim-plugin-orr/tree/develop ) to Lim, the framework I started to develop last year to bring REST/SOAP API to OpenDNSSEC (check my GibHub page).

Right now I'm working on logic for a backup/failover solution for OpenDNSSEC and trying to only use the tools we have (ods-ksmutil etc).

Handling KSK/ZSK is all fine and dandy, I can set policy to manual everything and copy the key between nodes... but what about NSEC3 salt?

From what I can find we only configure it in the policy, there are no tools to check the current salt from the KASP database, regenerate it or display when it will resalt (Maybe we need these tools?).

Say for example that you have two nodes, A and B, both running the same KSK and ZSK but different salts. A is primary and the signed zone it has generated is live. A then breaks down and we send a new update of the zone to B and it generates a new signed zone with the same KSK and ZSK but with a different NSEC3 salt.

Can or will there be a problem here when that zone goes live?

Jerry Lundström - OpenDNSSEC Developer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130918/f5f29aa9/attachment.bin>

More information about the Opendnssec-develop mailing list