[dns-operations] DNSSEC DS record generation for DOT-US from NSEC3 signed-zone

Jason Roysdon dns-operations.20100813 at jason.roysdon.net
Sat Aug 14 00:58:06 UTC 2010

I am working on getting my DS record added to the DOT-US zone with
Neustar.  In doing so, I found out they have a limitation of only
supporting algorithm 3, which is DSA/SHA1, or algorithm 5, which is

They do not support algorithm 7, which is RSASHA1-NSEC3-SHA1.  So when I
sent them my DS keys, they added them as algorithm 3, which of course
didn't work and reported bogus DS records, so they pulled the record
back out (thanks, Andrew).

The problem I have is that my zone is using an NSEC3 and when BIND's
dnssec-signzone generates dsset files, it does so with algorithm 7.  How
can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC)
as Neustar requires?


Jason Roysdon

More information about the dns-operations mailing list