NSEC3 Params

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 6 15:20:09 CET 2017

> On Mar 6, 2017, at 4:39 AM, Andreas Schulze <andreas.schulze at datev.de> wrote:
> Hello Viktor,
> Your suggestion differ from RFC 5155.
> https://tools.ietf.org/html/rfc5155#appendix-C.1: "It is RECOMMENDED that the salt be changed for every re-signing"
> Could you explain your choice more verbose?

If you do manual full-zone re-signing, feel free.  Most zones
are re-signed incrementally and automatically, but the entire
NSEC3 chain must use a single salt (or two chains need to be
built during the transition).

In any case, the main benefit of NSEC3 is "opt-out" to allow
sparse signing in TLDs, hiding the zone content is only an
emotional impulse, there's little rational use for it in the
vast majority of cases.

Others may of course disagree, ...  Be sensible, but focus
on operational reliability above all other considerations.


More information about the dane-users mailing list