BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)

Mark Andrews marka at isc.org
Mon Nov 5 13:05:30 UTC 2012


In message <201211051239.55119.amla at ipna.csic.es>, Antonio Marcos =?utf-8?q?L=C
3=B3pez_Alonso?= writes:
> El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribió:
> > In message <201211051152.45367.amla at ipna.csic.es>, Antonio Marcos
> > =?iso-8859-1?
> > 
> > q?L=F3pez_Alonso?= writes:
> > > Hi,
> > > 
> > > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have
> > > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1
> > > (algorithm s
> > > 5 and 7, both being aliases), but BIND refuses to load the zone
> > > complaining these algorithms are not supported:
> > > 
> > > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash
> > > algorithm: 7
> > 
> > The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1).
> > http://www.iana.org/assignments/dnssec-nsec3-parameters
> > 
> > 5 and 7 refer to DNSKEY algorithms.
> > 
> http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml
> 
> I'm a little bit confused here. If SHA-1 is the only defined hash 
> algorithm for 
> NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a 
> command like:
> dnssec-keygen -r /dev/urandom –a NSEC3RSASHA1 –b 1024 myzone.mydomain.org
> 
> Sorry in advance for the question but I'm still getting the nuts and 
> bolts of 
> DNSSEC. :-)
> 
> Kind regards,
> Antonio

There are a number of different algorithm numbers in various DNSSEC
related records.

*  DNSSEC algorithm numbers appear in DNSKEY, RRSIG and DS records.
   This defines how signatures are generated and whether NSEC3 is
   permitted in the zone and well as which NSEC3 hash algorithms are
   allowed in the zone.
*  NSEC3 hash algorithm numbers appear in NSEC3 records.
   This defines the NSEC3 hash algorithm used to generate the NSEC3 record.
*  DS hash algorithm numbers appear in DS records.
   This defines the DS hash algorithm used to generate the DS record.

Note DS records have 2 algorithm numbers.

Zones signed with RSASHA1-NSEC3-SHA1 (7) are signed with RSA
signatures of the SHA1 hash of the RRset (RSASHA1).  The zone *may*
contain NSEC3 records and those NSEC3 records must be generated using
the SHA1 (1) hash algorithm.

The error message said you signed the zone with NSEC3 records
generated with hash algorithm 7.  There is no such algorithm defined
for NSEC3 records.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list