[Opendnssec-user] How can OpenDNSSEC be configured in compliance with RFC9276?
Stefan Ubbink
Stefan.Ubbink at sidn.nl
Wed Sep 7 05:26:25 UTC 2022
Hello,
We want to configure OpenDNSSEC to comply with RFC9276 (Guidance for
NSEC3 Parameter Settings) and some parts of this RFC are very easy, but I cannot get the salt to be empty ('-') as described in section 3.1
With the following settings in the kasp.xml
<Denial>
<NSEC3>
<Resalt>P90D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>0</Iterations>
<Salt length="0">-</Salt>
</Hash>
</NSEC3>
</Denial>
Results in the following NSEC3PARAM record:
NSEC3PARAM 1 0 0 DAFDC9C1B52486F5
I also tried to remove the Salt element, but that results in an invalid
configuration as described in /usr/share/opendnssec/kasp.rng .
How can I change the configuration to get an empty salt?
--
Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
https://www.sidn.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20220907/d81d8dd8/attachment.bin>
More information about the Opendnssec-user
mailing list