[Opendnssec-user] predetermined NSEC3 salt value, no salt, interation count default

Paul Wouters paul at nohats.ca
Wed Sep 12 15:02:36 UTC 2012


On Wed, 12 Sep 2012, Jakob Schlyter wrote:

> On 11 sep 2012, at 21:53, Paul Wouters <paul at nohats.ca> wrote:
>
>> Am I right that https://wiki.opendnssec.org/display/DOCS/kasp.xml lists
>> all the Salt options for NSEC3? That is, only salt length can be
>> specified, but not an actual salt value or list of salts?
>
> As the salt is to be changed from time to time, we think the actual salt value doesn't make sense in the policy. Also, the policy is usually shared between zones.

Understood, and I understand it is a good default. but ... :)

>> When using multiple signers, it would be preferred to be able to
>> predict the new salts used. So it would be nice if this can live in
>> kasp.xml, instead of in /var/opendnssec/signconf/domain.xml, which is
>> generated only after the signer has been put to work. Consider this a
>> feature request.
>
> A tool to manual set initial salt would be enough? Please file something at https://issues.opendnssec.org/.

Hmm, I wonder. If the salt is changed on two "identical" signers, to
something different, that would be a problem. So an operator would
have to do it manually before the Resalt time is reached. And changing
the salt value would have to also reset the Resalt timer. So better then
nothing, but not ideal. Bug filed (but it only allowed me to file it
under "support", not "opendnssec")

>> As a work around for this issue, we decided to start using no salt.
>> I noticed <Salt length="0"/> did not work as expected, and it still
>> generated an 8 byte salt. I had to remove the entire Salt tag to get
>> no salt. Consider this a bug report :)
>
> Oh, that's bad - please file a bug at https://issues.opendnssec.org/.

Actually, it seems I was wrong. Later on I noticed that it never
actually used a zero salt. Removing the Salt length actually causes the
xml to fail to validate, and the policy will not be used. Manually
removing the salt value in signconf/dmoain.xml seemed to indicate some
support for it, as my empty value got replaced with "-" after an
"update all". (and 10 minutes later I can confirm that the signer used
no salt now)

>> Furthermore, the default values for iteration count between bind (10)
>> and opendnssec (5) is different. It would probably be a good idea if
>> both parties could look at using the same default value.
>
> Yes I agree - the BIND default is way to large, please ask ISC to change :-)

:)

Paul



More information about the Opendnssec-user mailing list