[Opendnssec-develop] Algorithm Type and NSEC/NSEC3
Jelte Jansen
jelte at NLnetLabs.nl
Thu Jul 9 09:40:52 UTC 2009
Rickard Bondesson wrote:
>> No, RSASHA1 is not the algorithm used by nsec3 - it has a
>> different mnemonic. I'll make a couple of examples tonight
>> when I'm working.
>
> It do use RSASHA1 for signatures, but RSASHA1 is not equal to the type 7. RSASHA1 could be both 5 and 7 depending on the denial.
>
> E.g.:
> Policy/Denial/NSEC + Policy/Keys/KSK/Algorithm(RSASHA1) = Algorithm type 5 for the KSK.
> Policy/Denial/NSEC + Policy/Keys/ZSK/Algorithm(RSAMD5) = Algorithm type 1 for the ZSK.
>
> Or:
>
> Policy/Denial/NSEC3 + Policy/Keys/KSK/Algorithm(RSASHA1) = Algorithm type 7 for the KSK.
> Policy/Denial/NSEC3 + Policy/Keys/ZSK/Algorithm(RSASHA1) = Algorithm type 7 for the ZSK.
>
Well, the engine could automagically fix the erroneous combination 5+nsec3, but
7+nsec is perfectly valid.
But what should the engine do then when an administrator changes the denial
value from nsec to nsec3? that would then require a rollover scheme, since the
public key would change...
it may be more reasonably to error on 1/5+nsec3
Jelte
More information about the Opendnssec-develop
mailing list