[dns-operations] DNSSEC DS record generation for DOT-US from NSEC3 signed-zone

Anthony Iliopoulos ailiop at lsu.edu
Sat Aug 14 01:21:30 UTC 2010

On Fri, Aug 13, 2010 at 05:58:06PM -0700, Jason Roysdon wrote:

> The problem I have is that my zone is using an NSEC3 and when BIND's
> dnssec-signzone generates dsset files, it does so with algorithm 7.  How
> can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC)
> as Neustar requires?

You cannot do that. The DS record algorithm field is expected to
match the exact algorithm used by the dnskey it is referring to,
by protocol definition.

One option is to wait until the registry supports the particular
algorithm codes for the DS record, or you can always sign again
the zones, but this time with one of the supported algorithms
(but you cannot double-sign and mix NSEC with NSEC3).


More information about the dns-operations mailing list