BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)

Mark Andrews marka at isc.org
Mon Nov 5 12:16:31 UTC 2012


In message <201211051152.45367.amla at ipna.csic.es>, Antonio Marcos =?iso-8859-1?
q?L=F3pez_Alonso?= writes:
> Hi,
> 
> I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have 
> succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1 (algorithm
> s 
> 5 and 7, both being aliases), but BIND refuses to load the zone complaining 
> these algorithms are not supported:
> 
> general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash 
> algorithm: 7

The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1).
http://www.iana.org/assignments/dnssec-nsec3-parameters

5 and 7 refer to DNSKEY algorithms.
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml

> general: error: zone myzone.mydomain.org/IN: no supported nsec3 hash algorith
> m
> general: error: zone myzone.mydomain.org/IN: not loaded due to errors.
> 
> (the same happens with algorithm 5).
> 
> Could this be a BIND bug? (Someone told me these algorithms are fully 
> supported).
> 
> Kind regards,
> Antonio 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list