AW: AW: AW: Specifying NSEC3 salt with dnssec-policy
Petr Špaček
pspacek at isc.org
Tue Oct 1 13:59:11 UTC 2024
On 01. 10. 24 15:41, Klaus Darilion wrote:
> Hi Petr!
>
>> It can be said that the interface pushes people to follow RFC 9276, i.e.
>> no salt and no extra iterations.
>>
>> It is an pointless exercise which only makes servers easier to DoS for
>> no benefit.
>
> I understand your decision to push people towards RFC 9276.
>
>> Why do you need extra salt? What part of RFC 9276 does not apply to your
>> situation? I'm curious!
>
> As said I was debugging NSEC3 issues of a zone which currently uses a salt, and I wanted to reproduce the same hasing as those zone currently use. So I do not want to use a salt in production, but only in testing.
Apologies, I forgot the context about debugging something. It makes
sense then.
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list