On Mar 6, 2017, at 4:39 AM, Andreas Schulze andreas.schulze@datev.de wrote:
Hello Viktor,
Your suggestion differ from RFC 5155. https://tools.ietf.org/html/rfc5155#appendix-C.1: "It is RECOMMENDED that the salt be changed for every re-signing"
Could you explain your choice more verbose?
If you do manual full-zone re-signing, feel free. Most zones are re-signed incrementally and automatically, but the entire NSEC3 chain must use a single salt (or two chains need to be built during the transition).
In any case, the main benefit of NSEC3 is "opt-out" to allow sparse signing in TLDs, hiding the zone content is only an emotional impulse, there's little rational use for it in the vast majority of cases.
Others may of course disagree, ... Be sensible, but focus on operational reliability above all other considerations.