DNSSEC - mismatch between algorithm and type of NSEC

Alan Clegg aclegg at isc.org
Wed Dec 29 14:25:13 UTC 2010

On 12/29/2010 3:37 AM, Marc Lampo wrote:

> However, we now found the following case :
> 1) registrar offers us DNSKEY information with algorithm 7 :
> 2) in the zone file, there are NSEC (and not NSEC3) records

This is not an error.

The only reason for there being "different" algorithm numbers within
RSASHA1 was to keep "older" systems that don't know about NSEC3 from
dealing with NSEC3 responses incorrectly.

All "newer" algorithms can be used for both NSEC and NSEC3.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101229/cf77a223/attachment.bin>

More information about the bind-users mailing list