From Stefan.Ubbink at sidn.nl  Wed Sep  7 05:26:25 2022
From: Stefan.Ubbink at sidn.nl (Stefan Ubbink)
Date: Wed, 7 Sep 2022 07:26:25 +0200
Subject: [Opendnssec-user] How can OpenDNSSEC be configured in compliance
 with RFC9276?
Message-ID: <20220907072625.551d0e34@1040-04-008.sidn.nl>

Hello,

We want to configure OpenDNSSEC to comply with RFC9276 (Guidance for
NSEC3 Parameter Settings) and some parts of this RFC are very easy, but I cannot get the salt to be empty ('-') as described in section 3.1
With the following settings in the kasp.xml

<Denial>
    <NSEC3>
        <Resalt>P90D</Resalt>
        <Hash>
            <Algorithm>1</Algorithm>
            <Iterations>0</Iterations>
            <Salt length="0">-</Salt>
        </Hash>
    </NSEC3>
</Denial>

Results in the following NSEC3PARAM record:

NSEC3PARAM 1 0 0 DAFDC9C1B52486F5

I also tried to remove the Salt element, but that results in an invalid
configuration as described in /usr/share/opendnssec/kasp.rng .

How can I change the configuration to get an empty salt?

-- 
Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
https://www.sidn.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20220907/d81d8dd8/attachment.bin>

From berry at nlnetlabs.nl  Wed Sep  7 09:54:22 2022
From: berry at nlnetlabs.nl (Berry van Halderen)
Date: Wed, 07 Sep 2022 11:54:22 +0200
Subject: [Opendnssec-user] How can OpenDNSSEC be configured in
 compliance with RFC9276?
In-Reply-To: <20220907072625.551d0e34@1040-04-008.sidn.nl>
References: <20220907072625.551d0e34@1040-04-008.sidn.nl>
Message-ID: <47a8e68fd25cc6c8bab7b48cb86ba306@nlnetlabs.nl>

On 2022-09-07 07:26, Stefan Ubbink wrote:
> Hello,
> 
> We want to configure OpenDNSSEC to comply with RFC9276 (Guidance for
> NSEC3 Parameter Settings) and some parts of this RFC are very easy,
> but I cannot get the salt to be empty ('-') as described in section
> 3.1
> With the following settings in the kasp.xml
> 
> <Denial>
>     <NSEC3>
>         <Resalt>P90D</Resalt>
>         <Hash>
>             <Algorithm>1</Algorithm>
>             <Iterations>0</Iterations>
>             <Salt length="0">-</Salt>
>         </Hash>
>     </NSEC3>
> </Denial>

Hi Stefan,

Specifying the salt as such:

     <Salt length="0"/>

Should work.  So an empty XML element without the "-".  The hash
is only an artifact for zone files such there is a field.

\Berry

> Results in the following NSEC3PARAM record:
> 
> NSEC3PARAM 1 0 0 DAFDC9C1B52486F5
> 
> I also tried to remove the Salt element, but that results in an invalid
> configuration as described in /usr/share/opendnssec/kasp.rng .
> 
> How can I change the configuration to get an empty salt?