[dns-operations] DNSSEC DS record generation for DOT-US from NSEC3 signed-zone

Jason Roysdon dns-operations.20100813 at jason.roysdon.net
Sat Aug 14 06:25:18 UTC 2010

On 08/13/2010 06:21 PM, Anthony Iliopoulos wrote:
> On Fri, Aug 13, 2010 at 05:58:06PM -0700, Jason Roysdon wrote:
>> The problem I have is that my zone is using an NSEC3 and when BIND's
>> dnssec-signzone generates dsset files, it does so with algorithm 7.  How
>> can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC)
>> as Neustar requires?
> You cannot do that. The DS record algorithm field is expected to
> match the exact algorithm used by the dnskey it is referring to,
> by protocol definition.
> One option is to wait until the registry supports the particular
> algorithm codes for the DS record, or you can always sign again
> the zones, but this time with one of the supported algorithms
> (but you cannot double-sign and mix NSEC with NSEC3).
> Regards,
> Anthony

That was my thought as I continued to dig.  dnssec-dsfromkey couldn't
help me out either.  As a work-around, I had this thought:

Create a delegated zone, say nsec3.mydomain.us, and sign it with nsec3
and put the ds record for that in the mydomain.us zone which will only
be nsec signed and enumerable.

Anything I wanted to keep from being easily listed I would put in

I know, security through obscurity is not really security, but it
doesn't mean I have to go broadcasting all of my record either.
Security has many layers, and one of which can be conceal other that
what folks have a need-to-know.

Jason Roysdon

More information about the dns-operations mailing list