[Opendnssec-user] NSEC3 algorithm not supported in BIND 9.7.3?

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Nov 6 10:18:16 UTC 2012 

Hi Antonio,

My apologies, I thought you were talking about the DNSSEC algorithm
numbers. For that, you want to use 7 (RSASHA1-NSEC3-SHA1) and for
hashing indeed, only number 1 (SHA-1) is defined. So in kasp.xml, you
need something like:

  <Denial>
    <NSEC3>
      ...
      <Hash>
        <Algorithm>1</Algorithm>
        ...
      </Hash>
    </NSEC3>
  </Denial>

and

  <KSK>
    <Algorithm length="1024">7</Algorithm>
    ...
  </KSK>

  <ZSK>
    <Algorithm length="1024">7</Algorithm>
    ...
  </ZSK>

Best regards,
  Matthijs

On 11/06/2012 10:28 AM, Antonio Marcos López Alonso wrote:
> El Jueves 01 noviembre 2012 11:45:20 Matthijs Mekking escribió:
>> On 11/01/2012 11:22 AM, LOPEZ ALONSO, ANTONIO MARCOS wrote:
>>> Hi Matthijs, Ondrej:
>>>
>>> Still the same errors (but for the algorithm number which is 7 now).
>>
>> Bind should be able to load a zone that is signed with algorithm number
>> 7 and NSEC3. If not, it might be a bug. Please contact the bind developers.
> 
> Hi Matthijs, Ondrej:
> 
> I contacted BIND users mailing list and it seems the current, only-defined 
> algorithm for NSEC3 is SHA-1 (number 1) - citation follows:
> 
> *********************************
> There are a number of different algorithm numbers in various DNSSEC
> related records.
> 
> *  DNSSEC algorithm numbers appear in DNSKEY, RRSIG and DS records.
>    This defines how signatures are generated and whether NSEC3 is
>    permitted in the zone and well as which NSEC3 hash algorithms are
>    allowed in the zone.
> *  NSEC3 hash algorithm numbers appear in NSEC3 records.
>    This defines the NSEC3 hash algorithm used to generate the NSEC3 record.
> *  DS hash algorithm numbers appear in DS records.
>    This defines the DS hash algorithm used to generate the DS record.
> 
> Note DS records have 2 algorithm numbers.
> 
> Zones signed with RSASHA1-NSEC3-SHA1 (7) are signed with RSA
> signatures of the SHA1 hash of the RRset (RSASHA1).  The zone may
> contain NSEC3 records and those NSEC3 records must be generated using
> the SHA1 (1) hash algorithm.
> 
> The error message said you signed the zone with NSEC3 records
> generated with hash algorithm 7.  There is no such algorithm defined
> for NSEC3 records.
> 
> Mark
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121106/0b138258/attachment.bin>

More information about the Opendnssec-user mailing list