From Stefan.Ubbink at sidn.nl Wed Sep 7 05:26:25 2022 From: Stefan.Ubbink at sidn.nl (Stefan Ubbink) Date: Wed, 7 Sep 2022 07:26:25 +0200 Subject: [Opendnssec-user] How can OpenDNSSEC be configured in compliance with RFC9276? Message-ID: <20220907072625.551d0e34@1040-04-008.sidn.nl> Hello, We want to configure OpenDNSSEC to comply with RFC9276 (Guidance for NSEC3 Parameter Settings) and some parts of this RFC are very easy, but I cannot get the salt to be empty ('-') as described in section 3.1 With the following settings in the kasp.xml P90D 1 0 - Results in the following NSEC3PARAM record: NSEC3PARAM 1 0 0 DAFDC9C1B52486F5 I also tried to remove the Salt element, but that results in an invalid configuration as described in /usr/share/opendnssec/kasp.rng . How can I change the configuration to get an empty salt? -- Stefan Ubbink DNS & Systems Engineer Present: Mon, Tue, Wed, Fri SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands T +31 (0)26 352 55 00 https://www.sidn.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From berry at nlnetlabs.nl Wed Sep 7 09:54:22 2022 From: berry at nlnetlabs.nl (Berry van Halderen) Date: Wed, 07 Sep 2022 11:54:22 +0200 Subject: [Opendnssec-user] How can OpenDNSSEC be configured in compliance with RFC9276? In-Reply-To: <20220907072625.551d0e34@1040-04-008.sidn.nl> References: <20220907072625.551d0e34@1040-04-008.sidn.nl> Message-ID: <47a8e68fd25cc6c8bab7b48cb86ba306@nlnetlabs.nl> On 2022-09-07 07:26, Stefan Ubbink wrote: > Hello, > > We want to configure OpenDNSSEC to comply with RFC9276 (Guidance for > NSEC3 Parameter Settings) and some parts of this RFC are very easy, > but I cannot get the salt to be empty ('-') as described in section > 3.1 > With the following settings in the kasp.xml > > > > P90D > > 1 > 0 > - > > > Hi Stefan, Specifying the salt as such: Should work. So an empty XML element without the "-". The hash is only an artifact for zone files such there is a field. \Berry > Results in the following NSEC3PARAM record: > > NSEC3PARAM 1 0 0 DAFDC9C1B52486F5 > > I also tried to remove the Salt element, but that results in an invalid > configuration as described in /usr/share/opendnssec/kasp.rng . > > How can I change the configuration to get an empty salt?