nsec3 in bind 9.7

Paul Wouters paul at xelerance.com
Sat Feb 20 01:40:07 UTC 2010


On Fri, 19 Feb 2010, Shane W wrote:

>> algorithm of 1 means use SHA-1 for hashing names; flags of 1 means opt-out
>> and 0 means no opt-out; iterations indicates how many times to repeat the
>
> Hmm, when attempting to add a nsec3param via nsupdate, I
> get:
> NSEC only DNSKEYs and NSEC3 chains not allowed

You have likely got RSASHA1 DNSKEY's. For RSASHA1, the DNSKEY with
NSEC3 support has a different algorithm number (for newer type keys,
like RSASHA256, these are no longer separate algorithm numbers).

You would need to roll over your key first to a new algorithm, NSEC3RSASHA1.
(or start from scratch with NSEC3RSASHA1 type DNSKEY's if this is
  a testing zone)

By the way, unless your zone is very large (TLD size), NSEC3 will not
give you much extras, and it is recommended for small zones not to use
it to keep debugging easier on humans, and to avoid expensive hashing
on the resolvers.

Paul



More information about the bind-users mailing list