BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)

Antonio Marcos López Alonso amla at ipna.csic.es
Mon Nov 5 12:39:54 UTC 2012


El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribió:
> In message <201211051152.45367.amla at ipna.csic.es>, Antonio Marcos
> =?iso-8859-1?
> 
> q?L=F3pez_Alonso?= writes:
> > Hi,
> > 
> > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have
> > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1
> > (algorithm s
> > 5 and 7, both being aliases), but BIND refuses to load the zone
> > complaining these algorithms are not supported:
> > 
> > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash
> > algorithm: 7
> 
> The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1).
> http://www.iana.org/assignments/dnssec-nsec3-parameters
> 
> 5 and 7 refer to DNSKEY algorithms.
> http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml

I'm a little bit confused here. If SHA-1 is the only defined hash algorithm for 
NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a 
command like:

dnssec-keygen -r /dev/urandom –a NSEC3RSASHA1 –b 1024 myzone.mydomain.org

Sorry in advance for the question but I'm still getting the nuts and bolts of 
DNSSEC. :-)

Kind regards,
Antonio





More information about the bind-users mailing list