[Opendnssec-user] predetermined NSEC3 salt value, no salt, interation count default
Paul Wouters
paul at nohats.ca
Wed Sep 12 16:18:48 UTC 2012
On Wed, 12 Sep 2012, Paul Wouters wrote:
>>> As a work around for this issue, we decided to start using no salt.
>>> I noticed <Salt length="0"/> did not work as expected, and it still
>>> generated an 8 byte salt. I had to remove the entire Salt tag to get
>>> no salt. Consider this a bug report :)
>>
>> Oh, that's bad - please file a bug at https://issues.opendnssec.org/.
>
> Actually, it seems I was wrong. Later on I noticed that it never
> actually used a zero salt. Removing the Salt length actually causes the
> xml to fail to validate, and the policy will not be used. Manually
> removing the salt value in signconf/dmoain.xml seemed to indicate some
> support for it, as my empty value got replaced with "-" after an
> "update all". (and 10 minutes later I can confirm that the signer used
> no salt now)
I confirmed <Salt length="0"/> works. There must have been an operator
error by me in regeneratnig/restarting/removing signconf/ files or
something.
I changed policy on another server to use length 0, ran "update all"
and the signconf/domain.xml got updated to Salt "-".
Sorry for the false positive,
Paul
Paul
More information about the Opendnssec-user
mailing list