Hi Petr! > It can be said that the interface pushes people to follow RFC 9276, i.e. > no salt and no extra iterations. > > It is an pointless exercise which only makes servers easier to DoS for > no benefit.
I understand your decision to push people towards RFC 9276. > Why do you need extra salt? What part of RFC 9276 does not apply to your > situation? I'm curious! As said I was debugging NSEC3 issues of a zone which currently uses a salt, and I wanted to reproduce the same hasing as those zone currently use. So I do not want to use a salt in production, but only in testing. So I am fine with the workaround of doing manual signing with dnssec-signzone. Regards Klaus PS: All of nic.at/RcodeZero is using RFC 9276. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
