[Opendnssec-user] NSEC3 algorithm not supported in BIND 9.7.3?

Ondřej Surý ondrej at sury.org
Thu Nov 1 08:40:28 UTC 2012

Hi Antonio,

you need to use algorightm number 7 (e.g. RSASHA1-NSEC3-SHA1). RSASHA1
is pre-NSEC3 number.


On Wed, Oct 31, 2012 at 11:16 AM, Antonio Marcos López Alonso
<amla at ipna.csic.es> wrote:
> Hi all,
> I'm setting up a testing DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have
> succesfully signed a zone using ods and RSASHA1 (algorithm 5) for NSEC3, but
> BIND complains refusing to load the zone:
> warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash algorithm: 5
> error: zone myzone.mydomain.org/IN: no supported nsec3 hash algorithm
> error: zone myzone.mydomain.org/IN: not loaded due to errors.
> Someone told me BIND 9.7.3 supports RSASHA1 for NSEC3, as he succesfully
> signed and loaded the zone after using the dnstools, so I  would like someone
> to confirm this and to cast some light on why this error is being issued.
> Thanks in advance,
> Antonio
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Ondřej Surý <ondrej at sury.org>

More information about the Opendnssec-user mailing list