[dns-operations] DNSSEC DS record generation for DOT-US from NSEC3 signed-zone
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Sat Aug 14 21:22:02 UTC 2010
On Fri, Aug 13, 2010 at 05:58:06PM -0700, Jason Roysdon wrote:
> I am working on getting my DS record added to the DOT-US zone with
> Neustar. In doing so, I found out they have a limitation of only
> supporting algorithm 3, which is DSA/SHA1, or algorithm 5, which is
> RSA/SHA1:
> http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
>
> They do not support algorithm 7, which is RSASHA1-NSEC3-SHA1. So when I
> sent them my DS keys, they added them as algorithm 3, which of course
> didn't work and reported bogus DS records, so they pulled the record
> back out (thanks, Andrew).
>
> The problem I have is that my zone is using an NSEC3 and when BIND's
> dnssec-signzone generates dsset files, it does so with algorithm 7. How
> can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC)
> as Neustar requires?
>
> Thanks,
>
> Jason Roysdon
Don't ask Neustar to support something they don't.
Don't compromise your zone with tricks (it might look
like it works, but it won't)
Tell folks that want to validate your delegation to use the
DS record you publish - you can self publish or use a
reputation service like the ISC DLV.
A word of caution on the use of reputation services or self
publication. Once your DS "escapes"... its virtually impossible
to erradicate it - which leads to all kinds of weird failures
down the road... ones that you can't fix on your own.
--bill
More information about the dns-operations
mailing list