Hello,
We want to configure OpenDNSSEC to comply with RFC9276 (Guidance for
NSEC3 Parameter Settings) and some parts of this RFC are very easy, but I
cannot get the salt to be empty ('-') as described in section 3.1
With the following settings in the kasp.xml
<Denial>
<NSEC3>
<Resalt>P90D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>0</Iterations>
<Salt length="0">-</Salt>
</Hash>
</NSEC3>
</Denial>
Results in the following NSEC3PARAM record:
NSEC3PARAM 1 0 0 DAFDC9C1B52486F5
I also tried to remove the Salt element, but that results in an invalid
configuration as described in /usr/share/opendnssec/kasp.rng .
How can I change the configuration to get an empty salt?
--
Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
https://www.sidn.nl
pgp_nLr7b3Q_j.pgp
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
