[Opendnssec-user] Adhering to RFC 9276 Sec. 3.1

Abdulkareem H. Ali kareem.ali at centralnic.com
Mon Oct 28 15:31:03 UTC 2024 

Hi

> Thank you all for the help, but <Salt length="0"/> is still generating a salt value. Does OpenDNSSEC not support zero length salt values?

Have you imported the updated policies after updating the KASP file?, you will probably need to run `ods-enforcer policy import` and also update the zone’s signconf file, `ods-signer update signconf`.

Then verify the signconf config file for the zone, usually located in `/var/opendnssec/signconf/ZONE.xml`, but could be set differently in your config.

HTH,
Kareem.

--
Abdulkareem H. Ali
Technical Product Owner, DNS
CentralNic Registry - Team Internet Group PLC
London Stock Exchange Symbol: LON:TIG

+44 20 3388 0600
www.centralnicregistry.com<https://www.centralnicregistry.com>

Centralnic Group PLC is a company registered in England and Wales with company number 8576358. Registered Offices: CentralNic, 4th Floor, Saddlers House, 44 Gutter Lane, London, EC2V 6BR.

From: Opendnssec-user <opendnssec-user-bounces at lists.opendnssec.org> on behalf of Bruno Blanes via Opendnssec-user <opendnssec-user at lists.opendnssec.org>
Date: Monday, 28 October 2024 at 12:16
To: Antonio Prado <antonio at prado.it>
Cc: opendnssec-user at lists.opendnssec.org <opendnssec-user at lists.opendnssec.org>
Subject: Re: [Opendnssec-user] Adhering to RFC 9276 Sec. 3.1
Thank you all for the help, but <Salt length="0"/> is still generating a salt value. Does OpenDNSSEC not support zero length salt values?

> -----Original Message-----
> From: Antonio Prado <antonio at prado.it>
> Sent: Friday, October 25, 2024 3:51 PM
> To: Bruno Blanes <bruno.blanes at outlook.com>
> Cc: opendnssec-user at lists.opendnssec.org
> Subject: Re: [Opendnssec-user] Adhering to RFC 9276 Sec. 3.1
>
> On 10/25/24 3:45 PM, Bruno Blanes via Opendnssec-user wrote:
>
> > I’ve been trying to set OpenDNSSEC to generate the NSEC3 parameter
> > with an empty salt and zero iterations (as per RFC 9276 Sec. 3.1), but
> > to no avail. I have tried setting <Iterations> to zero as well as
> > <Salt> length parameter, but couldn’t get it working.
> >
> > Could some kind angel help me out here, please?
>
> hi,
>
> <NSEC3>
>         <Hash>
>           <Algorithm>1</Algorithm>
>           <Iterations>0</Iterations>
>           <Salt length="0"/>
>         </Hash>
> </NSEC3>
>
> then apply the policy and wait
> --
> antonio
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20241028/8a04d7ec/attachment-0001.htm>

More information about the Opendnssec-user mailing list