[dns-operations] NSEC3 parameter selection (BCP: 1 0 0 -)
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Mon Jan 18 16:58:21 UTC 2021
Hello everyone!
On 1/18/21 7:57 AM, Viktor Dukhovni wrote:
> The non-empty salt is pointless, but basically harmless.
Why should salt be pointless? Can you hint/link?
Quick link to original motivation:
https://tools.ietf.org/html/rfc5155#appendix-C.1
(Though it seems relatively weak to me... nowadays I can't really
imagine practical dictionaries for DNS names that would be "too
expensive" to rehash whenever resigning happens.)
> I find the shared "salt" value somewhat "amusing"
Whole FQDNs are hashed, so sharing salt among different zones seems safe
to me, though I must admit I have no idea why anyone might want to do
it. Though if salt is pointless overall...
--Vladimir
More information about the dns-operations
mailing list