From Stefan.Ubbink at sidn.nl Wed Sep 7 05:26:25 2022
From: Stefan.Ubbink at sidn.nl (Stefan Ubbink)
Date: Wed, 7 Sep 2022 07:26:25 +0200
Subject: [Opendnssec-user] How can OpenDNSSEC be configured in compliance
with RFC9276?
Message-ID: <20220907072625.551d0e34@1040-04-008.sidn.nl>
Hello,
We want to configure OpenDNSSEC to comply with RFC9276 (Guidance for
NSEC3 Parameter Settings) and some parts of this RFC are very easy, but I cannot get the salt to be empty ('-') as described in section 3.1
With the following settings in the kasp.xml
P90D
1
0
-
Results in the following NSEC3PARAM record:
NSEC3PARAM 1 0 0 DAFDC9C1B52486F5
I also tried to remove the Salt element, but that results in an invalid
configuration as described in /usr/share/opendnssec/kasp.rng .
How can I change the configuration to get an empty salt?
--
Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
https://www.sidn.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
From berry at nlnetlabs.nl Wed Sep 7 09:54:22 2022
From: berry at nlnetlabs.nl (Berry van Halderen)
Date: Wed, 07 Sep 2022 11:54:22 +0200
Subject: [Opendnssec-user] How can OpenDNSSEC be configured in
compliance with RFC9276?
In-Reply-To: <20220907072625.551d0e34@1040-04-008.sidn.nl>
References: <20220907072625.551d0e34@1040-04-008.sidn.nl>
Message-ID: <47a8e68fd25cc6c8bab7b48cb86ba306@nlnetlabs.nl>
On 2022-09-07 07:26, Stefan Ubbink wrote:
> Hello,
>
> We want to configure OpenDNSSEC to comply with RFC9276 (Guidance for
> NSEC3 Parameter Settings) and some parts of this RFC are very easy,
> but I cannot get the salt to be empty ('-') as described in section
> 3.1
> With the following settings in the kasp.xml
>
>
>
> P90D
>
> 1
> 0
> -
>
>
>
Hi Stefan,
Specifying the salt as such:
Should work. So an empty XML element without the "-". The hash
is only an artifact for zone files such there is a field.
\Berry
> Results in the following NSEC3PARAM record:
>
> NSEC3PARAM 1 0 0 DAFDC9C1B52486F5
>
> I also tried to remove the Salt element, but that results in an invalid
> configuration as described in /usr/share/opendnssec/kasp.rng .
>
> How can I change the configuration to get an empty salt?