On 01. 10. 24 14:45, Klaus Darilion via bind-users wrote:
I always had the impression that dnssec-signzone is a stand-alone
utility and signing is done either with dnssec-signzone or with
Bind's dnssec-policy. Does it really work to use dnssec-signzone on a
zone and journal that is managed by named?
No, it doesn't work like that. You turn off automatic signing and use
dnssec-signzone manually to sign the zone.
I was under the impression that you needed to sign a zone with a
specific salt. dnssec-signzone can do that for you.
OK. So this is a worst-case workaround. I was hoping to find a workaround with
still Bind9 doing all the signing automatically :)
It can be said that the interface pushes people to follow RFC 9276, i.e.
no salt and no extra iterations.
It is an pointless exercise which only makes servers easier to DoS for
no benefit.
Why do you need extra salt? What part of RFC 9276 does not apply to your
situation? I'm curious!
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
