On 06-Feb-14 05:56, Cathy Almond wrote:
This seems silly. Why should a person have to select a salt at all? It's just a random number, and people are really bad at picking random numbers. Seems like a miss in 'DNSSEC for humans' :-)On 05/02/2014 18:54, David Newman wrote:The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every time a zone's ZSK changes.Is this just a matter of a new 'rndc signing' command, or is some action needed to remove the old salt? thanks dnrndc signing -nsec3param ... I would expect the old NSEC3 chain and old NSEC3PARAM record to be removed, once the new chain is in place. (Similarly, the new NSEC3PARAM record will not appear in the zone until the new NSEC3 chain has been completely generated). Cathy
There should be a mechanism to tell named to pick a random number and use it for the salt. (I suggest '*' - '-' already means 'none'.) named already has to know how to get random numbers, so this should not be difficult. It should work for records supplied in UPDATE transactions as well as rndc signing.
A bit more work to have it function when loaded from a zone file, though that doesn't seem unreasonable. (E.g. if read from a zone file, pick a salt, treat the record as if loaded with that value, and do all the requisite (re-)signing.)
I'm copying bind9-bugs so this doesn't get lost. Please don't copy that list if you comment on this. (Careful with that 'reply all'!)
Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. This communication may not represent my employer's views, if any, on the matters discussed.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users