On 2022-09-07 07:26, Stefan Ubbink wrote:
Hello,
We want to configure OpenDNSSEC to comply with RFC9276 (Guidance for
NSEC3 Parameter Settings) and some parts of this RFC are very easy,
but I cannot get the salt to be empty ('-') as described in section
3.1
With the following settings in the kasp.xml
<Denial>
<NSEC3>
<Resalt>P90D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>0</Iterations>
<Salt length="0">-</Salt>
</Hash>
</NSEC3>
</Denial>
Hi Stefan,
Specifying the salt as such:
<Salt length="0"/>
Should work. So an empty XML element without the "-". The hash
is only an artifact for zone files such there is a field.
\Berry
Results in the following NSEC3PARAM record:
NSEC3PARAM 1 0 0 DAFDC9C1B52486F5
I also tried to remove the Salt element, but that results in an invalid
configuration as described in /usr/share/opendnssec/kasp.rng .
How can I change the configuration to get an empty salt?
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
