Hi Klaus,
With dnssec-policy you can specify the salt length, not a specific salt.
You can still use dnssec-signzone -3 to manually set a salt.
Best regards,
Matthijs
On 9/30/24 22:38, Klaus Darilion via bind-users wrote:
Hello!
With "auto-dnssec maintain;" I was used to specify the NSEC3 salt with
'rndc signing -nsec3param'. Today I used the "dnssec-policy" and I
failed to specify the salt manually. Are there any tricks/workarounds to
manually specify the NSEC3 salt?
I know that actually the salt should be "-" but currently I am debugging
a NSEC3 issue in our system and in such cases I always use Bind as a
reference how the proper NSEC3 should look like. Hence I was in need to
manually set the salt to be similar to the production zone. Luckily I
was on 9.18 and switched back to auto-dnssec.
Thanks
Klaus
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
