[Opendnssec-user] Publish keys with domanhanteraren

Jelte Jansen jelte at NLnetLabs.nl
Wed Aug 12 10:59:13 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mattias Andersson wrote:
> Hi,
> 
> I have signed my zone (nonetwork.se) using kasp.xml deny policy like
> <Denial>
>                        <NSEC/>
> </Denial>
> 
> This gives me a signed zone looking like (parts of zone)
> 
> nonetwork.se.   3600    IN      DNSKEY  256 3 7
> nonetwork.se.   3600    IN      RRSIG   DNSKEY 7 2 3600 20090819135454
> 20090812095059 22164 nonetwork.se. Qk8PaoqgoF7hTWafb0BgOm
> 
> And dnscheck gives:
> http://dnscheck.iis.se/?time=1250071868&id=233758&view=advanced&test=standard
> 
> I'm not sure how to interpret this but it seames to me the zone is still
> signed with nsec3 which is not supported?
> It this right or is there something else that is wrong?
> Please advise and how do I see this for sure, could some one educate me?
> 

if this is the zone you have on your live servers, i can tell you it has been
signed with NSEC, not NSEC3 (just do a dig +dnssec or drill -D query for a
non-existent name).

The signing algorithm 7 (RSASHA1-NSEC3-SHA1) that is used here only tells the
validator that it *could* be signed with NSEC3, but could also be signed with
plain NSEC.

If the validator (or checker, in this case), does not have NSEC3 support, it
should handle this as an unknown algorithm, even though the actual cryptographic
algorithm (RSA/SHA1) is known.

So if you do not plan on using NSEC3 for now, you could change keys to algorithm
5, which should solve your problem. Or wait until the checker has been updated :)

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkqCoIEACgkQ4nZCKsdOncUzbgCcCPkHhSMvAHRT4t+dmfF1X0zT
WCAAnRzJ8bTYutqrcp+IMqYimS2z+oPN
=CJkh
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list