AW: AW: AW: Specifying NSEC3 salt with dnssec-policy
Klaus Darilion
klaus.darilion at nic.at
Tue Oct 1 13:41:32 UTC 2024
Hi Petr!
> It can be said that the interface pushes people to follow RFC 9276, i.e.
> no salt and no extra iterations.
>
> It is an pointless exercise which only makes servers easier to DoS for
> no benefit.
I understand your decision to push people towards RFC 9276.
> Why do you need extra salt? What part of RFC 9276 does not apply to your
> situation? I'm curious!
As said I was debugging NSEC3 issues of a zone which currently uses a salt, and I wanted to reproduce the same hasing as those zone currently use. So I do not want to use a salt in production, but only in testing.
So I am fine with the workaround of doing manual signing with dnssec-signzone.
Regards
Klaus
PS: All of nic.at/RcodeZero is using RFC 9276.
More information about the bind-users
mailing list