BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)
Mark Andrews
marka at isc.org
Mon Nov 5 12:16:31 UTC 2012
In message <201211051152.45367.amla at ipna.csic.es>, Antonio Marcos =?iso-8859-1?
q?L=F3pez_Alonso?= writes:
> Hi,
>
> I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have
> succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1 (algorithm
> s
> 5 and 7, both being aliases), but BIND refuses to load the zone complaining
> these algorithms are not supported:
>
> general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash
> algorithm: 7
The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1).
http://www.iana.org/assignments/dnssec-nsec3-parameters
5 and 7 refer to DNSKEY algorithms.
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml
> general: error: zone myzone.mydomain.org/IN: no supported nsec3 hash algorith
> m
> general: error: zone myzone.mydomain.org/IN: not loaded due to errors.
>
> (the same happens with algorithm 5).
>
> Could this be a BIND bug? (Someone told me these algorithms are fully
> supported).
>
> Kind regards,
> Antonio
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list