So resalt wasn't doing anything because the salt wasn't old enough, after purposefully changing the resalt period to make in run, it printed the following message on my logfile when using <Salt length="0"/>:
[policy_resalt_task] policy default has an invalid salt length. Must be in range [0..255] Best regards, Bruno Blanes From: Abdulkareem H. Ali <[email protected]> Sent: Monday, October 28, 2024 12:31 PM To: Bruno Blanes <[email protected]>; Antonio Prado <[email protected]> Cc: [email protected] Subject: Re: [Opendnssec-user] Adhering to RFC 9276 Sec. 3.1 Hi > Thank you all for the help, but <Salt length="0"/> is still generating a salt > value. Does OpenDNSSEC not support zero length salt values? Have you imported the updated policies after updating the KASP file?, you will probably need to run `ods-enforcer policy import` and also update the zone's signconf file, `ods-signer update signconf`. Then verify the signconf config file for the zone, usually located in `/var/opendnssec/signconf/ZONE.xml`, but could be set differently in your config. HTH, Kareem. -- Abdulkareem H. Ali Technical Product Owner, DNS CentralNic Registry - Team Internet Group PLC London Stock Exchange Symbol: LON:TIG +44 20 3388 0600 www.centralnicregistry.com<https://www.centralnicregistry.com/> Centralnic Group PLC is a company registered in England and Wales with company number 8576358. Registered Offices: CentralNic, 4th Floor, Saddlers House, 44 Gutter Lane, London, EC2V 6BR. From: Opendnssec-user <[email protected]<mailto:[email protected]>> on behalf of Bruno Blanes via Opendnssec-user <[email protected]<mailto:[email protected]>> Date: Monday, 28 October 2024 at 12:16 To: Antonio Prado <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: [Opendnssec-user] Adhering to RFC 9276 Sec. 3.1 Thank you all for the help, but <Salt length="0"/> is still generating a salt value. Does OpenDNSSEC not support zero length salt values? > -----Original Message----- > From: Antonio Prado <[email protected]<mailto:[email protected]>> > Sent: Friday, October 25, 2024 3:51 PM > To: Bruno Blanes <[email protected]<mailto:[email protected]>> > Cc: > [email protected]<mailto:[email protected]> > Subject: Re: [Opendnssec-user] Adhering to RFC 9276 Sec. 3.1 > > On 10/25/24 3:45 PM, Bruno Blanes via Opendnssec-user wrote: > > > I've been trying to set OpenDNSSEC to generate the NSEC3 parameter > > with an empty salt and zero iterations (as per RFC 9276 Sec. 3.1), but > > to no avail. I have tried setting <Iterations> to zero as well as > > <Salt> length parameter, but couldn't get it working. > > > > Could some kind angel help me out here, please? > > hi, > > <NSEC3> > <Hash> > <Algorithm>1</Algorithm> > <Iterations>0</Iterations> > <Salt length="0"/> > </Hash> > </NSEC3> > > then apply the policy and wait > -- > antonio _______________________________________________ Opendnssec-user mailing list [email protected]<mailto:[email protected]> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
