NSEC3 Params

Andreas Schulze andreas.schulze at datev.de
Mon Mar 6 10:39:03 CET 2017


Am 01.03.2017 um 03:12 schrieb Viktor Dukhovni:
>> How often should the NSEC3 params (salt in particular) be changed.
> 
> For now, never.  Choose a suitable random value around 8 octets long,
> and keep it fixed.

Hello Viktor,

Your suggestion differ from RFC 5155.
https://tools.ietf.org/html/rfc5155#appendix-C.1: "It is RECOMMENDED that the salt be changed for every re-signing"

Could you explain your choice more verbose?

Thanks
Andreas




-- 
A. Schulze
DATEV eG


More information about the dane-users mailing list