DNSSEC DS record generation for DOT-US from NSEC3 signed-zone
Jason Roysdon
bind-users.20100813 at jason.roysdon.net
Sat Aug 14 21:02:50 UTC 2010
On 08/14/2010 12:43 AM, Matthew Seaman wrote:
> On 14/08/2010 02:08, Jason Roysdon wrote:
>> The problem I have is that my zone is using an NSEC3 and when BIND's
>> dnssec-signzone generates dsset files, it does so with algorithm 7. How
>> can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC)
>> as Neustar requires?
>
> Add a second KSK of the appropriate type to your zone, and register that
> upstream. It's perfectly normal to have several keys signing a zone and
> active -- the normal key rollover mechanisms rely on it. The standard
> says that up to 5 (I think) such keys must be supported.
>
> Cheers,
>
> Matthew
>
I generated an NSEC algorithm 5 KSK and put an $INCLUDE for it in my
zone. I tried to sign the zone so it would start replicating the KSK,
and I get this error when signing:
$ /usr/sbin/dnssec-signzone -g -k Kmyzone.us.+007+XXXXX.key -o myzone.us
myzone.us Kmyzone.+007+YYYYY
dnssec-signzone: NSEC3 generation requested with NSEC only DNSKEY
myzone.us zone has:
$INCLUDE Kmyzone.us.+007+XXXXX.key
$INCLUDE Kmyzone.us.+007+YYYYY.key
$INCLUDE Kmyzone.us.+005+ZZZZZ.key
The error only occurs once I add the NSEC $INCLUDE.
Looking at this error, it appears you cannot mix NSEC-only keys with NSEC3.
Any other suggestions?
Jason Roysdon
http://jason.roysdon.net/
More information about the bind-users
mailing list