In message <201211051239.55119.a...@ipna.csic.es>, Antonio Marcos =?utf-8?q?L=C 3=B3pez_Alonso?= writes: > El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribió: > > In message <201211051152.45367.a...@ipna.csic.es>, Antonio Marcos > > =?iso-8859-1? > > > > q?L=F3pez_Alonso?= writes: > > > Hi, > > > > > > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have > > > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1 > > > (algorithm s > > > 5 and 7, both being aliases), but BIND refuses to load the zone > > > complaining these algorithms are not supported: > > > > > > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash > > > algorithm: 7 > > > > The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1). > > http://www.iana.org/assignments/dnssec-nsec3-parameters > > > > 5 and 7 refer to DNSKEY algorithms. > > > http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml > > I'm a little bit confused here. If SHA-1 is the only defined hash > algorithm for > NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a > command like: > dnssec-keygen -r /dev/urandom âa NSEC3RSASHA1 âb 1024 myzone.mydomain.org > > Sorry in advance for the question but I'm still getting the nuts and > bolts of > DNSSEC. :-) > > Kind regards, > Antonio
There are a number of different algorithm numbers in various DNSSEC related records. * DNSSEC algorithm numbers appear in DNSKEY, RRSIG and DS records. This defines how signatures are generated and whether NSEC3 is permitted in the zone and well as which NSEC3 hash algorithms are allowed in the zone. * NSEC3 hash algorithm numbers appear in NSEC3 records. This defines the NSEC3 hash algorithm used to generate the NSEC3 record. * DS hash algorithm numbers appear in DS records. This defines the DS hash algorithm used to generate the DS record. Note DS records have 2 algorithm numbers. Zones signed with RSASHA1-NSEC3-SHA1 (7) are signed with RSA signatures of the SHA1 hash of the RRset (RSASHA1). The zone *may* contain NSEC3 records and those NSEC3 records must be generated using the SHA1 (1) hash algorithm. The error message said you signed the zone with NSEC3 records generated with hash algorithm 7. There is no such algorithm defined for NSEC3 records. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
