[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Sep 19 05:21:52 UTC 2013

On 09/18/2013 05:50 PM, Olaf Kolkman wrote:
> On 18 sep. 2013, at 16:08, Jerry Lundström <jerry at opendnssec.org
> <mailto:jerry at opendnssec.org>> wrote:
>> Say for example that you have two nodes, A and B, both running the
>> same KSK and ZSK but different salts. A is primary and the signed zone
>> it has generated is live. A then breaks down and we send a new update
>> of the zone to B and it generates a new signed zone with the same KSK
>> and ZSK but with a different NSEC3 salt.
>> Can or will there be a problem here when that zone goes live?
> From the point of view from the resolver this is a pretty atomic
> operation and I do not immediately (in the few minutes I thought about
> this) see a problem.

Short answer: Correct.

Long answer: Correct. There must be at least one complete NSEC/NSEC3
chain in the published zone, then it poses no validation issues at the
resolver. The resolver only needs to get consistent NSEC3 records in the
response. There are no timing issues like with DNSKEYs.

Best regards,

> From the point of view from the authoritative name servers to which A
> and B push their content this will trigger a full zone changes i.e. an
> AXFR instead of an IXFR.  That could be painful.
> --Olaf
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

More information about the Opendnssec-develop mailing list