On 06/02/2014 12:58, Timothe Litt wrote: > On 06-Feb-14 05:56, Cathy Almond wrote: >> On 05/02/2014 18:54, David Newman wrote: >>> The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every >>> time a zone's ZSK changes. >>> >>> Is this just a matter of a new 'rndc signing' command, or is some action >>> needed to remove the old salt? >>> >>> thanks >>> >>> dn >> rndc signing -nsec3param ... >> >> I would expect the old NSEC3 chain and old NSEC3PARAM record to be >> removed, once the new chain is in place. >> >> (Similarly, the new NSEC3PARAM record will not appear in the zone until >> the new NSEC3 chain has been completely generated). >> >> Cathy >> > This seems silly. Why should a person have to select a salt at all? > It's just a random number, and people are really bad at picking random > numbers. Seems like a miss in 'DNSSEC for humans' :-) > > There should be a mechanism to tell named to pick a random number and > use it for the salt. (I suggest '*' - '-' already means 'none'.) named > already has to know how to get random numbers, so this should not be > difficult. It should work for records supplied in UPDATE transactions > as well as rndc signing. > > A bit more work to have it function when loaded from a zone file, though > that doesn't seem unreasonable. (E.g. if read from a zone file, pick a > salt, treat the record as if loaded with that value, and do all the > requisite (re-)signing.) > > I'm copying bind9-bugs so this doesn't get lost. Please don't copy that > list if you comment on this. (Careful with that 'reply all'!) > > Timothe Litt > ACM Distinguished Engineer
Sounds like a good idea - thanks. Cathy (Also carefully changing the distribution list on this email to avoid reply all accidents :D) _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
