NSEC3PARAM not honored in inline-signer mode (was Re: BIND 9.9.0 is now available)

Marco Davids (SIDN) marco.davids at sidn.nl
Wed Mar 7 18:03:14 UTC 2012


On 03-07-12 18:08, Evan Hunt wrote:

>> I also find it a bit strange that BIND decides to go for NSEC, even when
>> the KSK and ZSK are configured with algorithm: 7 (NSEC3RSASHA1).
>
> There's no difference between algorithm 7 and algorithm 5 (RSASHA1).
> The use of a new algorithm number for a previously-existing algorithm is
> sort of a signaling mechanism: it tells older resolvers that you're using
> a newer version of the DNSSEC specification than
> they're equipped to deal with .  But it doesn't mean NSEC3 is required, or
> even expected.

Interesting way of looking at it.

Algo 7 is mentioned in RFC5155. It tells older resolvers your are using
a newer version of DNSSEC. Sure it does, namely a version that supports
NSEC3, right? Now why would you want to do that? Because either you are
doing NSEC3, or you are planning to do so in the foreseeable future.

It's kind of a trade-off, I suppose:

- use algo 7 with NSEC allows you to move to NSEC3 without much hassle
(but older resolvers won't validate your replies meanwhile)

- use algo 5 with NSEC and you have to do a algorithm rollover first
when you want to move to NSEC3 (but meanwhile, older resolvers will
validate your replies).

Are there still any 'older' resolvers around? Maybe not...

Anyway, thanks for your insights!

--
Marco



More information about the bind-users mailing list