[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?

Olaf Kolkman olaf at NLnetLabs.nl
Wed Sep 18 15:50:30 UTC 2013


On 18 sep. 2013, at 16:08, Jerry Lundström <jerry at opendnssec.org> wrote:

> 
> Say for example that you have two nodes, A and B, both running the same KSK and ZSK but different salts. A is primary and the signed zone it has generated is live. A then breaks down and we send a new update of the zone to B and it generates a new signed zone with the same KSK and ZSK but with a different NSEC3 salt.
> 
> Can or will there be a problem here when that zone goes live?

From the point of view from the resolver this is a pretty atomic operation and I do not immediately (in the few minutes I thought about this) see a problem.

From the point of view from the authoritative name servers to which A and B push their content this will trigger a full zone changes i.e. an AXFR instead of an IXFR.  That could be painful.

--Olaf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130918/fa2ca39c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130918/fa2ca39c/attachment.bin>


More information about the Opendnssec-develop mailing list