[Opendnssec-develop] Algorithm Type and NSEC/NSEC3
Rickard Bondesson
rickard.bondesson at iis.se
Thu Jul 9 09:15:33 UTC 2009
> No, RSASHA1 is not the algorithm used by nsec3 - it has a
> different mnemonic. I'll make a couple of examples tonight
> when I'm working.
It do use RSASHA1 for signatures, but RSASHA1 is not equal to the type 7. RSASHA1 could be both 5 and 7 depending on the denial.
E.g.:
Policy/Denial/NSEC + Policy/Keys/KSK/Algorithm(RSASHA1) = Algorithm type 5 for the KSK.
Policy/Denial/NSEC + Policy/Keys/ZSK/Algorithm(RSAMD5) = Algorithm type 1 for the ZSK.
Or:
Policy/Denial/NSEC3 + Policy/Keys/KSK/Algorithm(RSASHA1) = Algorithm type 7 for the KSK.
Policy/Denial/NSEC3 + Policy/Keys/ZSK/Algorithm(RSASHA1) = Algorithm type 7 for the ZSK.
> --
> Sent from my iPhone, hence this mail might be briefer than normal.
>
> On 9 jul 2009, at 10.04, "Rickard Bondesson"
> <rickard.bondesson at iis.se> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Hi
> >
> > Currently we set the algorithm type in kasp.xml by using 1, 5, or 7
> > (supported algorithms in OpenDNSSEC). But you can still
> choose whether
> > to use NSEC or NSEC3.
> >
> > So you can get odd combinations like NSEC but DNSKEY with
> type 7. Or
> > use algo 7 for KSK and algo 5 for ZSK, which is not allowed
> (RFC5155).
> >
> > I have a solution:
> > Use the algorithm name in the Algorithm Type field in the kasp.xml
> > like RSAMD5 and RSASHA1.
> >
> > Because when you are creating a signature with a key, you
> do not need
> > to know if you are using NSEC or NSEC3, right?
> >
> > The denial part of kasp.xml is then the only point where
> you specify
> > whether to use NSEC or NSEC3. And the Signer Engine then has to add
> > 1 plus 1 to be able to create the correct DNSKEY records. NSEC +
> > RSASHA1 = 5. NSEC3 + RSASHA1 = 7.
> >
> > This solution also makes the kasp.xml more readable for the user.
> >
> > A problem comes when an algorithm is not supported by both NSEC and
> > NSEC3 like MD5 or any future algorithm. But that would be solved by
> > the future kasp-validator.
> >
> > // Rickard
> > -----BEGIN PGP SIGNATURE-----
> > Version: 9.8.3 (Build 4028)
> > Charset: utf-8
> >
> > wsBVAwUBSlWkguCjgaNTdVjaAQiS1wf/Ui3Fj6hlz61EX+JxmPDvopfreVfitJAM
> > hSZKvwXt9I5hvZdNjTqrHEcTMHTPc+hzWvT7+D+e3GW8k4h6QcYN0n/5KLpH0o58
> > mbl3h0LGXHBKQxw+db/Qwk9HKVqR+U2wydH4RbmQjWEMQ9LvzKJLkcV8afFJQb44
> > ndPx0FBq49JpwcDJskFqab4bjqG2fBtmCuRDm1zDzIlvQeoppoxD66PvV2vqMtSP
> > 5WvWCVfEtnEojBTwDcU0VcVSZs0FptwAlng+90I0ta60NjM3qBkND62ivZzUoUKH
> > rHHgikGREIKWz2a5qJI3uy5ENHTsZXsvkRErroxpMR+eu/fDe1l6fA==
> > =p0W2
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Opendnssec-develop mailing list
> > Opendnssec-develop at lists.opendnssec.org
> > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
More information about the Opendnssec-develop
mailing list