[Opendnssec-develop] Algorithm Type and NSEC/NSEC3

Rickard Bondesson rickard.bondesson at iis.se
Thu Jul 9 08:04:18 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi

Currently we set the algorithm type in kasp.xml by using 1, 5, or 7 (supported algorithms in OpenDNSSEC). But you can still choose whether to use NSEC or NSEC3.

So you can get odd combinations like NSEC but DNSKEY with type 7. Or use algo 7 for KSK and algo 5 for ZSK, which is not allowed (RFC5155).

I have a solution:
Use the algorithm name in the Algorithm Type field in the kasp.xml like RSAMD5 and RSASHA1.

Because when you are creating a signature with a key, you do not need to know if you are using NSEC or NSEC3, right?

The denial part of kasp.xml is then the only point where you specify whether to use NSEC or NSEC3. And the Signer Engine then has to add 1 plus 1 to be able to create the correct DNSKEY records. NSEC + RSASHA1 = 5. NSEC3 + RSASHA1 = 7.

This solution also makes the kasp.xml more readable for the user.

A problem comes when an algorithm is not supported by both NSEC and NSEC3 like MD5 or any future algorithm. But that would be solved by the future kasp-validator.

// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSlWkguCjgaNTdVjaAQiS1wf/Ui3Fj6hlz61EX+JxmPDvopfreVfitJAM
hSZKvwXt9I5hvZdNjTqrHEcTMHTPc+hzWvT7+D+e3GW8k4h6QcYN0n/5KLpH0o58
mbl3h0LGXHBKQxw+db/Qwk9HKVqR+U2wydH4RbmQjWEMQ9LvzKJLkcV8afFJQb44
ndPx0FBq49JpwcDJskFqab4bjqG2fBtmCuRDm1zDzIlvQeoppoxD66PvV2vqMtSP
5WvWCVfEtnEojBTwDcU0VcVSZs0FptwAlng+90I0ta60NjM3qBkND62ivZzUoUKH
rHHgikGREIKWz2a5qJI3uy5ENHTsZXsvkRErroxpMR+eu/fDe1l6fA==
=p0W2
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list