BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)
Mark Andrews
marka at isc.org
Mon Nov 5 13:05:30 UTC 2012
In message <201211051239.55119.amla at ipna.csic.es>, Antonio Marcos =?utf-8?q?L=C
3=B3pez_Alonso?= writes:
> El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribió:
> > In message <201211051152.45367.amla at ipna.csic.es>, Antonio Marcos
> > =?iso-8859-1?
> >
> > q?L=F3pez_Alonso?= writes:
> > > Hi,
> > >
> > > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have
> > > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1
> > > (algorithm s
> > > 5 and 7, both being aliases), but BIND refuses to load the zone
> > > complaining these algorithms are not supported:
> > >
> > > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash
> > > algorithm: 7
> >
> > The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1).
> > http://www.iana.org/assignments/dnssec-nsec3-parameters
> >
> > 5 and 7 refer to DNSKEY algorithms.
> >
> http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml
>
> I'm a little bit confused here. If SHA-1 is the only defined hash
> algorithm for
> NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a
> command like:
> dnssec-keygen -r /dev/urandom âa NSEC3RSASHA1 âb 1024 myzone.mydomain.org
>
> Sorry in advance for the question but I'm still getting the nuts and
> bolts of
> DNSSEC. :-)
>
> Kind regards,
> Antonio
There are a number of different algorithm numbers in various DNSSEC
related records.
* DNSSEC algorithm numbers appear in DNSKEY, RRSIG and DS records.
This defines how signatures are generated and whether NSEC3 is
permitted in the zone and well as which NSEC3 hash algorithms are
allowed in the zone.
* NSEC3 hash algorithm numbers appear in NSEC3 records.
This defines the NSEC3 hash algorithm used to generate the NSEC3 record.
* DS hash algorithm numbers appear in DS records.
This defines the DS hash algorithm used to generate the DS record.
Note DS records have 2 algorithm numbers.
Zones signed with RSASHA1-NSEC3-SHA1 (7) are signed with RSA
signatures of the SHA1 hash of the RRset (RSASHA1). The zone *may*
contain NSEC3 records and those NSEC3 records must be generated using
the SHA1 (1) hash algorithm.
The error message said you signed the zone with NSEC3 records
generated with hash algorithm 7. There is no such algorithm defined
for NSEC3 records.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list