[Opendnssec-user] Some questions from a new ods user
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Jul 5 13:34:55 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/05/2012 11:20 AM, Georg Sluyterman wrote:
> On 2012-07-05, at 10:45, Matthijs Mekking wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> Hi,
>>
>> On 07/05/2012 10:27 AM, Sander Smeenk wrote:
>>> Quoting Georg Sluyterman (georg at sman.dk):
>>>
> <---cut--->
>>>> When i choose an algorithm type for NSEC3 it seems that only
>>>> key type 1 is allowed and not e.g. 5 or 7, although key type
>>>> 1 is deprecated according to IANA
>>>> (http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.txt).
>>>>
>>>>
>>
>>>>
Is this about to change, or is there some reason why this is the case?
>>>
>>> No idea. :)
>>
>>
>> The number 1 refers to the NSEC3 hash algorithm type. Only SHA-1
>> is defined (1). I think you are confusing it with the DNSKEY
>> algorithm numbers, which should be set in the <Keys> section. If
>> you want to use NSEC3, you want to do 7.
>>
>
>
> Okay.
>
> Would i work with NSEC3 if i choose e.g. 8 (RSA/SHA-256) for <Key>
> for zsk and ksk?
>
Yes. The use of the SHA-2 algorithm family signals that there exists
NSEC3 support.
Best regards,
Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJP9Zf+AAoJEA8yVCPsQCW5BggIAIlDws/07OyWYGvl54c9GB+6
IjTTaK9WDZoxxNpRczy8WOoU1Qj8x2f21yhAdXzlSMS4cxNkH9FUx9lZfkDXZeQA
dEXMPw1ceQPOy1fsHyjRDnQ4WNGnMAt2SyTo8fZiOa9QLE245ZF5nG8dESE7Gv5J
g7ouYu8RNLOcTj/BdoLMj4uYpsNFl6CdH2qJntKJcKuZLmDbRBYjfU4t2PVvkv+A
vcK9JQuVaqKpxtgqSljscoB5D2LnYOtdtFWvfwLgFT0T9KGVufW9+BVj9rAgFKFy
aBkkQaT7nQ67g7cChFWjRteQBDucYGRySldr2H2CLebrMUNyNH4B+9rDYudEXq4=
=SqCQ
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list