[Opendnssec-user] predetermined NSEC3 salt value, no salt, interation count default
Paul Wouters
paul at nohats.ca
Tue Sep 11 19:53:45 UTC 2012
Hi,
Am I right that https://wiki.opendnssec.org/display/DOCS/kasp.xml lists
all the Salt options for NSEC3? That is, only salt length can be
specified, but not an actual salt value or list of salts?
When using multiple signers, it would be preferred to be able to
predict the new salts used. So it would be nice if this can live in
kasp.xml, instead of in /var/opendnssec/signconf/domain.xml, which is
generated only after the signer has been put to work. Consider this a
feature request.
As a work around for this issue, we decided to start using no salt.
I noticed <Salt length="0"/> did not work as expected, and it still
generated an 8 byte salt. I had to remove the entire Salt tag to get
no salt. Consider this a bug report :)
Furthermore, the default values for iteration count between bind (10)
and opendnssec (5) is different. It would probably be a good idea if
both parties could look at using the same default value.
Paul
More information about the Opendnssec-user
mailing list