[dns-operations] NSEC3 parameter selection (BCP: 1 0 0 -)

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Mon Jan 18 16:58:21 UTC 2021

Hello everyone!

On 1/18/21 7:57 AM, Viktor Dukhovni wrote:
> The non-empty salt is pointless, but basically harmless.

Why should salt be pointless?  Can you hint/link?
Quick link to original motivation: 

(Though it seems relatively weak to me... nowadays I can't really 
imagine practical dictionaries for DNS names that would be "too 
expensive" to rehash whenever resigning happens.)

> I find the shared "salt" value somewhat "amusing"

Whole FQDNs are hashed, so sharing salt among different zones seems safe 
to me, though I must admit I have no idea why anyone might want to do 
it.  Though if salt is pointless overall...


More information about the dns-operations mailing list