Take your DNSSEC with a grain of salt ...

Spain, Dr. Jeffry A. spainj at countryday.net
Sat Dec 31 18:54:09 UTC 2011

> I've taken some time to write down my knowledge on NSEC3 use of the "salt" and "iteration" parameters:
> <http://strotmann.de/roller/dnsworkshop/entry/take_your_dnssec_with_a>

Thanks, Carsten. This is a very clear, concise, and informative article.

Given the recommendation to change NSEC3 salt values with each ZSK rollover, I would like to make the following suggestion for bind9 and bind10. Enhance bind9 dnssec-keygen (and whatever the equivalent turns out to be for bind10) to include a random or specified salt as part of the key metadata. When the key activation date/time is reached for NSEC3 zones, automatically modify the NSEC3PARAM record and regenerate the NSEC3 chain with the new salt value.

Happy New Year to all. Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list