[Opendnssec-develop] Algorithm Type and NSEC/NSEC3
Jakob Schlyter
jakob at kirei.se
Thu Jul 9 09:07:20 UTC 2009
No, RSASHA1 is not the algorithm used by nsec3 - it has a different
mnemonic. I'll make a couple of examples tonight when I'm working.
--
Sent from my iPhone, hence this mail might be briefer than normal.
On 9 jul 2009, at 10.04, "Rickard Bondesson"
<rickard.bondesson at iis.se> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi
>
> Currently we set the algorithm type in kasp.xml by using 1, 5, or 7
> (supported algorithms in OpenDNSSEC). But you can still choose
> whether to use NSEC or NSEC3.
>
> So you can get odd combinations like NSEC but DNSKEY with type 7. Or
> use algo 7 for KSK and algo 5 for ZSK, which is not allowed (RFC5155).
>
> I have a solution:
> Use the algorithm name in the Algorithm Type field in the kasp.xml
> like RSAMD5 and RSASHA1.
>
> Because when you are creating a signature with a key, you do not
> need to know if you are using NSEC or NSEC3, right?
>
> The denial part of kasp.xml is then the only point where you specify
> whether to use NSEC or NSEC3. And the Signer Engine then has to add
> 1 plus 1 to be able to create the correct DNSKEY records. NSEC +
> RSASHA1 = 5. NSEC3 + RSASHA1 = 7.
>
> This solution also makes the kasp.xml more readable for the user.
>
> A problem comes when an algorithm is not supported by both NSEC and
> NSEC3 like MD5 or any future algorithm. But that would be solved by
> the future kasp-validator.
>
> // Rickard
> -----BEGIN PGP SIGNATURE-----
> Version: 9.8.3 (Build 4028)
> Charset: utf-8
>
> wsBVAwUBSlWkguCjgaNTdVjaAQiS1wf/Ui3Fj6hlz61EX+JxmPDvopfreVfitJAM
> hSZKvwXt9I5hvZdNjTqrHEcTMHTPc+hzWvT7+D+e3GW8k4h6QcYN0n/5KLpH0o58
> mbl3h0LGXHBKQxw+db/Qwk9HKVqR+U2wydH4RbmQjWEMQ9LvzKJLkcV8afFJQb44
> ndPx0FBq49JpwcDJskFqab4bjqG2fBtmCuRDm1zDzIlvQeoppoxD66PvV2vqMtSP
> 5WvWCVfEtnEojBTwDcU0VcVSZs0FptwAlng+90I0ta60NjM3qBkND62ivZzUoUKH
> rHHgikGREIKWz2a5qJI3uy5ENHTsZXsvkRErroxpMR+eu/fDe1l6fA==
> =p0W2
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
More information about the Opendnssec-develop
mailing list