Specifying NSEC3 salt with dnssec-policy
Matthijs Mekking
matthijs at isc.org
Tue Oct 1 06:48:50 UTC 2024
Hi Klaus,
With dnssec-policy you can specify the salt length, not a specific salt.
You can still use dnssec-signzone -3 to manually set a salt.
Best regards,
Matthijs
On 9/30/24 22:38, Klaus Darilion via bind-users wrote:
> Hello!
>
> With "auto-dnssec maintain;" I was used to specify the NSEC3 salt with
> 'rndc signing -nsec3param'. Today I used the "dnssec-policy" and I
> failed to specify the salt manually. Are there any tricks/workarounds to
> manually specify the NSEC3 salt?
>
> I know that actually the salt should be "-" but currently I am debugging
> a NSEC3 issue in our system and in such cases I always use Bind as a
> reference how the proper NSEC3 should look like. Hence I was in need to
> manually set the salt to be similar to the production zone. Luckily I
> was on 9.18 and switched back to auto-dnssec.
>
> Thanks
>
> Klaus
>
>
More information about the bind-users
mailing list