AW: AW: Specifying NSEC3 salt with dnssec-policy

2024-10-01 Thread Klaus Darilion via bind-users
> > I always had the impression that dnssec-signzone is a stand-alone > > utility and signing is done either with dnssec-signzone or with > > Bind's dnssec-policy. Does it really work to use dnssec-signzone on a > > zone and journal that is managed by named? > > No, it doesn't work like that. You

AW: Specifying NSEC3 salt with dnssec-policy

2024-10-01 Thread Klaus Darilion via bind-users
ilion, Head of Operations nic.at GmbH, Jakob-Haringer-Straße 8/V 5020 Salzburg, Austria > -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von > Matthijs Mekking > Gesendet: Dienstag, 1. Oktober 2024 08:49 > An: bind-users@lists.isc.org > Betreff: Re: Specifying NSEC3

Re: AW: AW: Specifying NSEC3 salt with dnssec-policy

2024-10-01 Thread Petr Špaček
On 01. 10. 24 14:45, Klaus Darilion via bind-users wrote: I always had the impression that dnssec-signzone is a stand-alone utility and signing is done either with dnssec-signzone or with Bind's dnssec-policy. Does it really work to use dnssec-signzone on a zone and journal that is managed by nam

AW: AW: AW: Specifying NSEC3 salt with dnssec-policy

2024-10-01 Thread Klaus Darilion via bind-users
Hi Petr! > It can be said that the interface pushes people to follow RFC 9276, i.e. > no salt and no extra iterations. > > It is an pointless exercise which only makes servers easier to DoS for > no benefit. I understand your decision to push people towards RFC 9276. > Why do you need extra sal

Re: AW: Specifying NSEC3 salt with dnssec-policy

2024-10-01 Thread Matthijs Mekking
On 10/1/24 09:44, Klaus Darilion wrote: Hi Matthijs! I always had the impression that dnssec-signzone is a stand-alone utility and signing is done either with dnssec-signzone or with Bind's dnssec-policy. Does it really work to use dnssec-signzone on a zone and journal that is managed by name

Re: AW: AW: AW: Specifying NSEC3 salt with dnssec-policy

2024-10-01 Thread Petr Špaček
On 01. 10. 24 15:41, Klaus Darilion wrote: Hi Petr! It can be said that the interface pushes people to follow RFC 9276, i.e. no salt and no extra iterations. It is an pointless exercise which only makes servers easier to DoS for no benefit. I understand your decision to push people towards R

Re: Specifying NSEC3 salt with dnssec-policy

2024-09-30 Thread Matthijs Mekking
Hi Klaus, With dnssec-policy you can specify the salt length, not a specific salt. You can still use dnssec-signzone -3 to manually set a salt. Best regards, Matthijs On 9/30/24 22:38, Klaus Darilion via bind-users wrote: Hello! With "auto-dnssec maintain;" I was used to specify the NSEC3 s

Specifying NSEC3 salt with dnssec-policy

2024-09-30 Thread Klaus Darilion via bind-users
Hello! With "auto-dnssec maintain;" I was used to specify the NSEC3 salt with 'rndc signing -nsec3param'. Today I used the "dnssec-policy" and I failed to specify the salt manually. Are there any tricks/workarounds to manually specify the NSEC3 salt? I know that actually the salt should be "-"