BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)
Antonio Marcos López Alonso
amla at ipna.csic.es
Mon Nov 5 13:17:50 UTC 2012
El Lunes 05 noviembre 2012 13:05:30 Mark Andrews escribió:
> In message <201211051239.55119.amla at ipna.csic.es>, Antonio Marcos
> =?utf-8?q?L=C
>
> 3=B3pez_Alonso?= writes:
> > El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribiĆ³:
> > > In message <201211051152.45367.amla at ipna.csic.es>, Antonio Marcos
> > > =?iso-8859-1?
> > >
> > > q?L=F3pez_Alonso?= writes:
> > > > Hi,
> > > >
> > > > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have
> > > > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1
> > > > (algorithm s
> > > > 5 and 7, both being aliases), but BIND refuses to load the zone
> > > > complaining these algorithms are not supported:
> > > >
> > > > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash
> > > > algorithm: 7
> > >
> > > The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1).
> > > http://www.iana.org/assignments/dnssec-nsec3-parameters
> > >
> > > 5 and 7 refer to DNSKEY algorithms.
> >
> > http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.x
> > ml
> >
> > I'm a little bit confused here. If SHA-1 is the only defined hash
> > algorithm for
> > NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a
> > command like:
> > dnssec-keygen -r /dev/urandom āa NSEC3RSASHA1 āb 1024
> > myzone.mydomain.org
> >
> > Sorry in advance for the question but I'm still getting the nuts and
> > bolts of
> > DNSSEC. :-)
> >
> > Kind regards,
> > Antonio
>
> There are a number of different algorithm numbers in various DNSSEC
> related records.
>
> * DNSSEC algorithm numbers appear in DNSKEY, RRSIG and DS records.
> This defines how signatures are generated and whether NSEC3 is
> permitted in the zone and well as which NSEC3 hash algorithms are
> allowed in the zone.
> * NSEC3 hash algorithm numbers appear in NSEC3 records.
> This defines the NSEC3 hash algorithm used to generate the NSEC3 record.
> * DS hash algorithm numbers appear in DS records.
> This defines the DS hash algorithm used to generate the DS record.
>
> Note DS records have 2 algorithm numbers.
>
> Zones signed with RSASHA1-NSEC3-SHA1 (7) are signed with RSA
> signatures of the SHA1 hash of the RRset (RSASHA1). The zone *may*
> contain NSEC3 records and those NSEC3 records must be generated using
> the SHA1 (1) hash algorithm.
>
> The error message said you signed the zone with NSEC3 records
> generated with hash algorithm 7. There is no such algorithm defined
> for NSEC3 records.
>
> Mark
Clear as water. Thanks a lot for taking the time to point me out right!
Kind regards,
Antonio
**********************************
Antonio Marcos López Alonso
Servicio de Informática y
Telecomunicaciones
Instituto de Productos Naturales
y Agrobiología (IPNA-CSIC)
mailto:amla at ipna.csic.es
(+34) 922 260 190 (Ext. 237)
***********************************
More information about the bind-users
mailing list