changing NSEC3 salt
Cathy Almond
cathya at isc.org
Thu Feb 6 13:58:18 UTC 2014
On 06/02/2014 12:58, Timothe Litt wrote:
> On 06-Feb-14 05:56, Cathy Almond wrote:
>> On 05/02/2014 18:54, David Newman wrote:
>>> The Michael W. Lucas DNSSEC book recommends changing NSEC3 salt every
>>> time a zone's ZSK changes.
>>>
>>> Is this just a matter of a new 'rndc signing' command, or is some action
>>> needed to remove the old salt?
>>>
>>> thanks
>>>
>>> dn
>> rndc signing -nsec3param ...
>>
>> I would expect the old NSEC3 chain and old NSEC3PARAM record to be
>> removed, once the new chain is in place.
>>
>> (Similarly, the new NSEC3PARAM record will not appear in the zone until
>> the new NSEC3 chain has been completely generated).
>>
>> Cathy
>>
> This seems silly. Why should a person have to select a salt at all?
> It's just a random number, and people are really bad at picking random
> numbers. Seems like a miss in 'DNSSEC for humans' :-)
>
> There should be a mechanism to tell named to pick a random number and
> use it for the salt. (I suggest '*' - '-' already means 'none'.) named
> already has to know how to get random numbers, so this should not be
> difficult. It should work for records supplied in UPDATE transactions
> as well as rndc signing.
>
> A bit more work to have it function when loaded from a zone file, though
> that doesn't seem unreasonable. (E.g. if read from a zone file, pick a
> salt, treat the record as if loaded with that value, and do all the
> requisite (re-)signing.)
>
> I'm copying bind9-bugs so this doesn't get lost. Please don't copy that
> list if you comment on this. (Careful with that 'reply all'!)
>
> Timothe Litt
> ACM Distinguished Engineer
Sounds like a good idea - thanks.
Cathy
(Also carefully changing the distribution list on this email to avoid
reply all accidents :D)
More information about the bind-users
mailing list