> I've taken some time to write down my knowledge on NSEC3 use of the "salt" > and "iteration" parameters: > <http://strotmann.de/roller/dnsworkshop/entry/take_your_dnssec_with_a>
Thanks, Carsten. This is a very clear, concise, and informative article. Given the recommendation to change NSEC3 salt values with each ZSK rollover, I would like to make the following suggestion for bind9 and bind10. Enhance bind9 dnssec-keygen (and whatever the equivalent turns out to be for bind10) to include a random or specified salt as part of the key metadata. When the key activation date/time is reached for NSEC3 zones, automatically modify the NSEC3PARAM record and regenerate the NSEC3 chain with the new salt value. Happy New Year to all. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
