[Opendnssec-user] Adhering to RFC 9276 Sec. 3.1
Bruno Blanes
bruno.blanes at outlook.com
Mon Oct 28 17:44:13 UTC 2024
So resalt wasn't doing anything because the salt wasn't old enough, after purposefully changing the resalt period to make in run, it printed the following message on my logfile when using <Salt length="0"/>:
[policy_resalt_task] policy default has an invalid salt length. Must be in range [0..255]
Best regards,
Bruno Blanes
From: Abdulkareem H. Ali <kareem.ali at centralnic.com>
Sent: Monday, October 28, 2024 12:31 PM
To: Bruno Blanes <bruno.blanes at outlook.com>; Antonio Prado <antonio at prado.it>
Cc: opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] Adhering to RFC 9276 Sec. 3.1
Hi
> Thank you all for the help, but <Salt length="0"/> is still generating a salt value. Does OpenDNSSEC not support zero length salt values?
Have you imported the updated policies after updating the KASP file?, you will probably need to run `ods-enforcer policy import` and also update the zone's signconf file, `ods-signer update signconf`.
Then verify the signconf config file for the zone, usually located in `/var/opendnssec/signconf/ZONE.xml`, but could be set differently in your config.
HTH,
Kareem.
--
Abdulkareem H. Ali
Technical Product Owner, DNS
CentralNic Registry - Team Internet Group PLC
London Stock Exchange Symbol: LON:TIG
+44 20 3388 0600
www.centralnicregistry.com<https://www.centralnicregistry.com/>
Centralnic Group PLC is a company registered in England and Wales with company number 8576358. Registered Offices: CentralNic, 4th Floor, Saddlers House, 44 Gutter Lane, London, EC2V 6BR.
From: Opendnssec-user <opendnssec-user-bounces at lists.opendnssec.org<mailto:opendnssec-user-bounces at lists.opendnssec.org>> on behalf of Bruno Blanes via Opendnssec-user <opendnssec-user at lists.opendnssec.org<mailto:opendnssec-user at lists.opendnssec.org>>
Date: Monday, 28 October 2024 at 12:16
To: Antonio Prado <antonio at prado.it<mailto:antonio at prado.it>>
Cc: opendnssec-user at lists.opendnssec.org<mailto:opendnssec-user at lists.opendnssec.org> <opendnssec-user at lists.opendnssec.org<mailto:opendnssec-user at lists.opendnssec.org>>
Subject: Re: [Opendnssec-user] Adhering to RFC 9276 Sec. 3.1
Thank you all for the help, but <Salt length="0"/> is still generating a salt value. Does OpenDNSSEC not support zero length salt values?
> -----Original Message-----
> From: Antonio Prado <antonio at prado.it<mailto:antonio at prado.it>>
> Sent: Friday, October 25, 2024 3:51 PM
> To: Bruno Blanes <bruno.blanes at outlook.com<mailto:bruno.blanes at outlook.com>>
> Cc: opendnssec-user at lists.opendnssec.org<mailto:opendnssec-user at lists.opendnssec.org>
> Subject: Re: [Opendnssec-user] Adhering to RFC 9276 Sec. 3.1
>
> On 10/25/24 3:45 PM, Bruno Blanes via Opendnssec-user wrote:
>
> > I've been trying to set OpenDNSSEC to generate the NSEC3 parameter
> > with an empty salt and zero iterations (as per RFC 9276 Sec. 3.1), but
> > to no avail. I have tried setting <Iterations> to zero as well as
> > <Salt> length parameter, but couldn't get it working.
> >
> > Could some kind angel help me out here, please?
>
> hi,
>
> <NSEC3>
> <Hash>
> <Algorithm>1</Algorithm>
> <Iterations>0</Iterations>
> <Salt length="0"/>
> </Hash>
> </NSEC3>
>
> then apply the policy and wait
> --
> antonio
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org<mailto:Opendnssec-user at lists.opendnssec.org>
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20241028/6eea7c2a/attachment.htm>
More information about the Opendnssec-user
mailing list