[Opendnssec-user] predetermined NSEC3 salt value, no salt, interation count default

Jakob Schlyter jakob at kirei.se
Wed Sep 12 06:07:00 UTC 2012


On 11 sep 2012, at 21:53, Paul Wouters <paul at nohats.ca> wrote:

> Am I right that https://wiki.opendnssec.org/display/DOCS/kasp.xml lists
> all the Salt options for NSEC3? That is, only salt length can be
> specified, but not an actual salt value or list of salts?

As the salt is to be changed from time to time, we think the actual salt value doesn't make sense in the policy. Also, the policy is usually shared between zones.

> When using multiple signers, it would be preferred to be able to
> predict the new salts used. So it would be nice if this can live in
> kasp.xml, instead of in /var/opendnssec/signconf/domain.xml, which is
> generated only after the signer has been put to work. Consider this a
> feature request.

A tool to manual set initial salt would be enough? Please file something at https://issues.opendnssec.org/.

> As a work around for this issue, we decided to start using no salt.
> I noticed <Salt length="0"/> did not work as expected, and it still
> generated an 8 byte salt. I had to remove the entire Salt tag to get
> no salt. Consider this a bug report :)

Oh, that's bad - please file a bug at https://issues.opendnssec.org/.

> Furthermore, the default values for iteration count between bind (10)
> and opendnssec (5) is different. It would probably be a good idea if
> both parties could look at using the same default value.

Yes I agree - the BIND default is way to large, please ask ISC to change :-)


	jakob




More information about the Opendnssec-user mailing list