[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?

Jerry Lundström jerry at opendnssec.org
Thu Sep 19 08:44:41 UTC 2013

On Sep 19, 2013, at 10:13 , Siôn Lloyd wrote:

> If you have different salt it implies that you have an enforcer running
> at both nodes, or at least that the signconfs are not in sync. The
> problem that you need to worry about here is what happens when one node
> kicks off a key roll?

Yes, both will have enforcers since I will be trying to manage multiple instances with the interfaces we have and NOT mess around with the internal files (which you should really really really not do).

Key rollovers will be set to manually in the policy and handled automatically by the management tool.

> As has been said the salt change is not in itself an issue; but it would
> indicate that the two nodes are not in step - which could be serious.

Not really, everything but the salt will be synchronized since we don't have interfaces to manage the salt. And since the salt does not seem to be a problem it should work.


Jerry Lundström - OpenDNSSEC Developer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130919/ad21bc70/attachment.bin>

More information about the Opendnssec-develop mailing list