AW: AW: Specifying NSEC3 salt with dnssec-policy
Petr Špaček
pspacek at isc.org
Tue Oct 1 13:35:13 UTC 2024
On 01. 10. 24 14:45, Klaus Darilion via bind-users wrote:
>>> I always had the impression that dnssec-signzone is a stand-alone
>>> utility and signing is done either with dnssec-signzone or with
>>> Bind's dnssec-policy. Does it really work to use dnssec-signzone on a
>>> zone and journal that is managed by named?
>>
>> No, it doesn't work like that. You turn off automatic signing and use
>> dnssec-signzone manually to sign the zone.
>>
>> I was under the impression that you needed to sign a zone with a
>> specific salt. dnssec-signzone can do that for you.
>
> OK. So this is a worst-case workaround. I was hoping to find a workaround with still Bind9 doing all the signing automatically :)
It can be said that the interface pushes people to follow RFC 9276, i.e.
no salt and no extra iterations.
It is an pointless exercise which only makes servers easier to DoS for
no benefit.
Why do you need extra salt? What part of RFC 9276 does not apply to your
situation? I'm curious!
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list