[Opendnssec-user] How can OpenDNSSEC be configured in compliance with RFC9276?

[Stefan Ubbink]

On Wed, 07 Sep 2022 11:54:22 +0200
Berry van Halderen <berry at nlnetlabs.nl> wrote:

> On 2022-09-07 07:26, Stefan Ubbink wrote:
> > Hello,
> > 
> > We want to configure OpenDNSSEC to comply with RFC9276 (Guidance for
> > NSEC3 Parameter Settings) and some parts of this RFC are very easy,
> > but I cannot get the salt to be empty ('-') as described in section
> > 3.1
> > With the following settings in the kasp.xml
> > 
> > <Denial>
> >     <NSEC3>
> >         <Resalt>P90D</Resalt>
> >         <Hash>
> >             <Algorithm>1</Algorithm>
> >             <Iterations>0</Iterations>
> >             <Salt length="0">-</Salt>
> >         </Hash>
> >     </NSEC3>
> > </Denial>  
> 
> Hi Stefan,
> 
> Specifying the salt as such:
> 
>      <Salt length="0"/>
> 
> Should work.  So an empty XML element without the "-".  The hash
> is only an artifact for zone files such there is a field.

It does not make any difference how the salt is written.
There seems to be a bug in ODS 2.1.10 when changing the salt length to
0, which has been fixed in 2.1.11-rc3 and should be available in the
final 2.1.11 release.

After changing the kasp.xml to have a salt length of 0, you have to
execute the following commands to tell ODS of these changes.

ods-enforcer policy import
ods-enforcer policy resalt

I have confirmed that this works in our test setup.

-- 
Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
https://www.sidn.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20221003/65378457/attachment.bin>