[dns-operations] DNSSEC DS record generation for DOT-US from NSEC3 signed-zone
Jason Roysdon
dns-operations.20100813 at jason.roysdon.net
Sat Aug 14 06:25:18 UTC 2010
On 08/13/2010 06:21 PM, Anthony Iliopoulos wrote:
> On Fri, Aug 13, 2010 at 05:58:06PM -0700, Jason Roysdon wrote:
>
>> The problem I have is that my zone is using an NSEC3 and when BIND's
>> dnssec-signzone generates dsset files, it does so with algorithm 7. How
>> can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC)
>> as Neustar requires?
>
> You cannot do that. The DS record algorithm field is expected to
> match the exact algorithm used by the dnskey it is referring to,
> by protocol definition.
>
> One option is to wait until the registry supports the particular
> algorithm codes for the DS record, or you can always sign again
> the zones, but this time with one of the supported algorithms
> (but you cannot double-sign and mix NSEC with NSEC3).
>
>
> Regards,
> Anthony
>
That was my thought as I continued to dig. dnssec-dsfromkey couldn't
help me out either. As a work-around, I had this thought:
Create a delegated zone, say nsec3.mydomain.us, and sign it with nsec3
and put the ds record for that in the mydomain.us zone which will only
be nsec signed and enumerable.
Anything I wanted to keep from being easily listed I would put in
nsec3.mydomain.us.
I know, security through obscurity is not really security, but it
doesn't mean I have to go broadcasting all of my record either.
Security has many layers, and one of which can be conceal other that
what folks have a need-to-know.
Jason Roysdon
http://jason.roysdon.net/
More information about the dns-operations
mailing list