NSEC3 Params

Andreas Schulze andreas.schulze at datev.de
Mon Mar 6 10:39:03 CET 2017

Am 01.03.2017 um 03:12 schrieb Viktor Dukhovni:
>> How often should the NSEC3 params (salt in particular) be changed.
> For now, never.  Choose a suitable random value around 8 octets long,
> and keep it fixed.

Hello Viktor,

Your suggestion differ from RFC 5155.
https://tools.ietf.org/html/rfc5155#appendix-C.1: "It is RECOMMENDED that the salt be changed for every re-signing"

Could you explain your choice more verbose?


A. Schulze

More information about the dane-users mailing list