On Wed, 12 Sep 2012, Paul Wouters wrote:
As a work around for this issue, we decided to start using no salt.
I noticed <Salt length="0"/> did not work as expected, and it still
generated an 8 byte salt. I had to remove the entire Salt tag to get
no salt. Consider this a bug report :)
Oh, that's bad - please file a bug at https://issues.opendnssec.org/.
Actually, it seems I was wrong. Later on I noticed that it never
actually used a zero salt. Removing the Salt length actually causes the
xml to fail to validate, and the policy will not be used. Manually
removing the salt value in signconf/dmoain.xml seemed to indicate some
support for it, as my empty value got replaced with "-" after an
"update all". (and 10 minutes later I can confirm that the signer used
no salt now)
I confirmed <Salt length="0"/> works. There must have been an operator
error by me in regeneratnig/restarting/removing signconf/ files or
something.
I changed policy on another server to use length 0, ran "update all"
and the signconf/domain.xml got updated to Salt "-".
Sorry for the false positive,
Paul
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
