[dns-operations] signing a zone with NSEC3 records.

Ravi Kondamuru ravikondamuru at gmail.com
Thu Sep 10 18:12:15 UTC 2009


 > It is not clear which mode of operation DNS servers should be

> > configured to operate in:
>
> At least for BIND and NSD, there is nothing to configure, they accept
> both and serve both (otherwise, it would be an operational nightmare).
>
> > My understanding so far is a DNS server cannot be run in a mixed
> > (supporting both NSEC and NSEC3) mode.
>
> That's not true.
>

I was trying to confirm that on an authoritative server, a zone cannot at
the same time be configured to serve out both NSEC and NSEC3 records.

I understand that on an authoritative server ZoneA can be signed using
RSASHA1 algorithm and ZoneB using RSASHA1-NSEC3-SHA1, but it is not possible
to have ZoneC signed using both RSASHA1 and RSASHA1-NSEC3-SHA1. ZoneC has to
choose one of the two.

thanks,
Ravi.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090910/5b224125/attachment.html>


More information about the dns-operations mailing list