[Opendnssec-user] NSEC3 resalt and (re)signing

Tim Verhoeven tim.verhoeven.be at gmail.com
Wed May 26 18:12:28 UTC 2010


As said, we are planning to use OpenDNSSEC to manage siging our zone
and like to use NSEC3. Looking around for best practices about NSEC3,
one thing that comes back a lot is to resalt your NSEC3 records each
time you resign the corresponding RR-set.

Now if I read the OpenDNSSEC docs correctly, then it only supports
setting a interval when to resalt, but that does not really is useful
when you are using jitter in the signing part of the configuration.
How difficult would it be to support resalting at the same time that
resigning is done ?


Tim Verhoeven - tim.verhoeven.be at gmail.com - 0479 / 88 11 83

Hoping the problem  magically goes away  by ignoring it is the
"microsoft approach to programming" and should never be allowed.
(Linus Torvalds)

More information about the Opendnssec-user mailing list