[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?

Siôn Lloyd sion at nominet.org.uk
Thu Sep 19 08:13:19 UTC 2013

On 18/09/13 15:08, Jerry Lundström wrote:
> Say for example that you have two nodes, A and B, both running the same KSK and ZSK but different salts. A is primary and the signed zone it has generated is live. A then breaks down and we send a new update of the zone to B and it generates a new signed zone with the same KSK and ZSK but with a different NSEC3 salt.
> Can or will there be a problem here when that zone goes live?

If you have different salt it implies that you have an enforcer running
at both nodes, or at least that the signconfs are not in sync. The
problem that you need to worry about here is what happens when one node
kicks off a key roll?

As has been said the salt change is not in itself an issue; but it would
indicate that the two nodes are not in step - which could be serious.


More information about the Opendnssec-develop mailing list