BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)
Antonio Marcos López Alonso
amla at ipna.csic.es
Mon Nov 5 12:39:54 UTC 2012
El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribió:
> In message <201211051152.45367.amla at ipna.csic.es>, Antonio Marcos
> =?iso-8859-1?
>
> q?L=F3pez_Alonso?= writes:
> > Hi,
> >
> > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have
> > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1
> > (algorithm s
> > 5 and 7, both being aliases), but BIND refuses to load the zone
> > complaining these algorithms are not supported:
> >
> > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash
> > algorithm: 7
>
> The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1).
> http://www.iana.org/assignments/dnssec-nsec3-parameters
>
> 5 and 7 refer to DNSKEY algorithms.
> http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml
I'm a little bit confused here. If SHA-1 is the only defined hash algorithm for
NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a
command like:
dnssec-keygen -r /dev/urandom –a NSEC3RSASHA1 –b 1024 myzone.mydomain.org
Sorry in advance for the question but I'm still getting the nuts and bolts of
DNSSEC. :-)
Kind regards,
Antonio
More information about the bind-users
mailing list