[dns-operations] DNSSEC DS record generation for DOT-US from NSEC3 signed-zone

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Sat Aug 14 21:22:02 UTC 2010

On Fri, Aug 13, 2010 at 05:58:06PM -0700, Jason Roysdon wrote:
> I am working on getting my DS record added to the DOT-US zone with
> Neustar.  In doing so, I found out they have a limitation of only
> supporting algorithm 3, which is DSA/SHA1, or algorithm 5, which is
> http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
> They do not support algorithm 7, which is RSASHA1-NSEC3-SHA1.  So when I
> sent them my DS keys, they added them as algorithm 3, which of course
> didn't work and reported bogus DS records, so they pulled the record
> back out (thanks, Andrew).
> The problem I have is that my zone is using an NSEC3 and when BIND's
> dnssec-signzone generates dsset files, it does so with algorithm 7.  How
> can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC)
> as Neustar requires?
> Thanks,
> Jason Roysdon

	Don't ask Neustar to support something they don't.
	Don't compromise your zone with tricks (it might look
	like it works, but it won't)

	Tell folks that want to validate your delegation to use the
	DS record you publish - you can self publish or use a
	reputation service like the ISC DLV.

	A word of caution on the use of reputation services or self
	publication.  Once your DS "escapes"... its virtually impossible
	to erradicate it - which leads to all kinds of weird failures
	down the road... ones that you can't fix on your own.


More information about the dns-operations mailing list