[dns-operations] signing a zone with NSEC3 records.
Edward Lewis
Ed.Lewis at neustar.biz
Thu Sep 10 19:52:53 UTC 2009
(Resending because the quote level indicators went missing.)
At 12:07 -0700 9/10/09, Ravi Kondamuru wrote:
># 5. sign the zone with both the keys and opt for NSEC3 by using option -3:
>does not generate a signed domain.
># indicates error: NSEC3 generation requested with NSEC only DNSKEY
>fbsd63# dnssec-signzone -o <http://testnsecnsec3.org>testnsecnsec3.org
>-k Ktestnsecnsec3.org.+005+64081.private
>-k Ktestnsecnsec3.org.+007+19293.private -3
>bb6945e66c82b958763f5fb69f745a78 testnsecnsec3.org.db
>Ktestnsecnsec3.org.+005+64917.private
>Ktestnsecnsec3.org.+007+56312.private
>
>dnssec-signzone: NSEC3 generation requested with NSEC only DNSKEY
The problem is you can't NSEC3 with a NSEC-only key, but you can NSEC
with an NSEC3-capable key.
I made the same mistake when I tried this the first time.
>Am I doing something wrong in step 5 or is it not possible to do (5)?
>With step 4, I got a signed domain inline with what you have attached in
>your email.
So - alg 5 and/or 7 can be in a NSEC zone
Only alg 7 can be in a NSEC3 zone
The reason is that if a validator only knows alg 5, it probably
doesn't understand NSEC3 so it would have issues.
If a validator knows alg 7, it knows NSEC (from the old days) and
NSEC3 (the new thing).
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090910/299f6bd0/attachment.html>
More information about the dns-operations
mailing list