[Opendnssec-user] KASP configuration questions
Berry van Halderen
berry at nlnetlabs.nl
Thu Feb 23 08:33:20 UTC 2023
On 2023-02-23 00:13, Nick Urbanik via Opendnssec-user wrote:
> Dear Folks,
>
> On 23/02/23 10:00 +1100, Nick Urbanik via Opendnssec-user wrote:
>> I want to
> ...
>> disable salting in NSEC3, and have one iteration only of hashing.
>> <Denial>
>> <NSEC3>
>> <Resalt>PT0S</Resalt>
>> <Hash>
>> <Algorithm>1</Algorithm>
>> <Iterations>1</Iterations>
>> <Salt length="0"/>
>> </Hash>
>> </NSEC3>
>> </Denial>
>
>> However, it does not like the value I gave for Resalt. How do you
>> express that you want no salt in your NSEC3 records?
>
> I changed Iterations to 0.
>
> I changed Resalt to <Resalt>P2000D</Resalt>. Is that how to implement
> the recommendations of RFC 9276?
Yes, unfortunately the Resalt is mandatory and needs a positive value,
but the resalting won't actually be performed after the period (for
current versions). I do recommend setting it high, i.e. years.
\Berry
More information about the Opendnssec-user
mailing list