26 Lis
2018
26 Lis
'18
13:48
Hi all,
the NSEC3 salt is stored in KASP DB (the storage for keys and their
metadata), so it will be not overly difficult to implement salt
manipulation with keymgr utility. But such new feature will be released
as part of some future versions of Knot, not immediately.
Libor
Dne 26.11.18 v 13:41 Christian Petrasch napsal(a):
Hi Petr,
the reason was or is, that we never changed salt before since we
started with DNSSEC. So, we have not really experience about change
the salt
And because we are developing a new system to change our whole DNSSEC
system it would be nice to have one factor less to take care about..
But it is not a showstopper for KNOT ;)
best regards
Christian
--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: petrasch(a)denic.de
http://www.denic.de <http://www.denic.de/>
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E
8841 549B E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main
Von: "Petr Špaček" <petr.spacek(a)nic.cz>
An: knot-dns-users(a)lists.nic.cz
Datum: 26.11.2018 13:30
Betreff: Re: [knot-dns-users] Define SALT String for NSEC3
Gesendet von: "knot-dns-users" <knot-dns-users-bounces(a)lists.nic.cz>
------------------------------------------------------------------------
Hi Christian,
what are you trying to achieve? Why would you need to configure salt
value at all? I'm curious! :-)
Petr Špaček @ CZ.NIC
On 12. 11. 18 15:56, Christian Petrasch wrote:
--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
Hi Daniel,
thanks a lot for the fast answer..
I have to discuss it with my stakeholders.
From my current situation I would appreciate it.
Because or current solution support this and we are testing to switch
the solution. At the moment I would prefer KNOTdns
It would be nice to configure our old salt to have one possibilty of
error less..
This shouldn't mean that I'm afraid that it is not implemented well
..
;)
best regards
Christian
--
Christian Petrasch
Product Owner
Zone Creation & Signing
IT-Services
DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY
E-Mail: petrasch(a)denic.de
http://www.denic.de <http://www.denic.de/><http://www.denic.de/>
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E
8841 549B E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main
Von: "Daniel Salzman" <daniel.salzman(a)nic.cz>
An: "Christian Petrasch" <petrasch(a)denic.de>de>,
knot-dns-users(a)lists.nic.cz
Datum: 12.11.2018 15:47
Betreff: Re: [knot-dns-users] Define SALT String for NSEC3
------------------------------------------------------------------------
Hi Christian,
There is no configuration for a custom NSEC3 salt value in Knot DNS.
So far there was no need for that. Is it important for you?
Best,
Daniel
On 11/12/18 3:33 PM, Christian Petrasch wrote:
<http://www.denic.de/><http://www.denic.de/><http://www.denic.de/>
Hi,
is there any knot-dns configuration parameter to define the SALT
string for NSEC3
?
> I have :
>
> nsec3: BOOL
> nsec3-iterations: INT
> nsec3-opt-out: BOOL
> nsec3-salt-length: INT
>
> but nothing to configure the string..
>
> Does anybody has an idea ?
>
> Any help would be really appreciated..
>
> thanks a lot
>
> best regards
> --
> Christian Petrasch
> Product Owner
> Zone Creation & Signing
> IT-Services
>
> DENIC eG
> Kaiserstraße 75-77
> 60329 Frankfurt am Main
> GERMANY
>
> E-Mail: petrasch(a)denic.de
> http://www.denic.de
PGP-KeyID: 549BE0AE, Fingerprint: 0E0B 6CBE 5D8C B82B 0B49 DE61 870E
8841 549B
E0AE
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am
Main