[Opendnssec-develop] Algorithm Type and NSEC/NSEC3
Rickard Bondesson
rickard.bondesson at iis.se
Thu Jul 9 10:06:03 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> Well, the engine could automagically fix the erroneous
> combination 5+nsec3, but
> 7+nsec is perfectly valid.
True since 7 is just an alias for 5. But doesn't the validator then think it should get NSEC3 and not NSEC records? Or could it guess that without the DNSKEY type = 5?
> But what should the engine do then when an administrator
> changes the denial value from nsec to nsec3? that would then
> require a rollover scheme, since the public key would change...
>
> it may be more reasonably to error on 1/5+nsec3
True. So this is only applyable to the kasp.xml and we should still use the 1,5,7 for the signconf.xml.
Because the kasp.xml is only used for new keys. And when a key is generated by keygend it get its flag from the current policy and will keep this flag although the policy changes, in the "keypairs" field of the kasp.db
// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSlXBC+CjgaNTdVjaAQguFwgAncqbKMULKD5EUWKTn+IeKZ3QdH6KFRJg
Xp5qTWWRWq04+vitW0OM+UNs6/YkXtiJ3m5jG58ModsKRwaQyRTQOBUWb5F8YxPG
k0FsFnCketXS6MFXqjRRAspTDyReueaKtUvB8iFDlTUO/G7ta9UStoWg8a7RHhK/
4s7Msgg2rEBt3OjWXGszQMBuXcrCb6KSazOMpo1BmuXgrV71gDaUzqB+vLKKayV3
Lzrw3JeVeDMbUdhOCQToiIgr6QaYSM2o9DUvFKgrArmdvZHfziVHEbLwGJco0UGp
h/4C5s8aMN40aTgShC4RbojWwc8IH6SKmGIKDzlvRvx5WbE3wdfL7w==
=J5rq
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list