[Opendnssec-user] How can OpenDNSSEC be configured in compliance with RFC9276?
Berry van Halderen
berry at nlnetlabs.nl
Wed Sep 7 09:54:22 UTC 2022
On 2022-09-07 07:26, Stefan Ubbink wrote:
> Hello,
>
> We want to configure OpenDNSSEC to comply with RFC9276 (Guidance for
> NSEC3 Parameter Settings) and some parts of this RFC are very easy,
> but I cannot get the salt to be empty ('-') as described in section
> 3.1
> With the following settings in the kasp.xml
>
> <Denial>
> <NSEC3>
> <Resalt>P90D</Resalt>
> <Hash>
> <Algorithm>1</Algorithm>
> <Iterations>0</Iterations>
> <Salt length="0">-</Salt>
> </Hash>
> </NSEC3>
> </Denial>
Hi Stefan,
Specifying the salt as such:
<Salt length="0"/>
Should work. So an empty XML element without the "-". The hash
is only an artifact for zone files such there is a field.
\Berry
> Results in the following NSEC3PARAM record:
>
> NSEC3PARAM 1 0 0 DAFDC9C1B52486F5
>
> I also tried to remove the Salt element, but that results in an invalid
> configuration as described in /usr/share/opendnssec/kasp.rng .
>
> How can I change the configuration to get an empty salt?
More information about the Opendnssec-user
mailing list