[Opendnssec-user] NSEC3 algorithm not supported in BIND 9.7.3?

Antonio Marcos López Alonso amla at ipna.csic.es
Tue Nov 6 09:28:13 UTC 2012


El Jueves 01 noviembre 2012 11:45:20 Matthijs Mekking escribió:
> On 11/01/2012 11:22 AM, LOPEZ ALONSO, ANTONIO MARCOS wrote:
> > Hi Matthijs, Ondrej:
> > 
> > Still the same errors (but for the algorithm number which is 7 now).
> 
> Bind should be able to load a zone that is signed with algorithm number
> 7 and NSEC3. If not, it might be a bug. Please contact the bind developers.

Hi Matthijs, Ondrej:

I contacted BIND users mailing list and it seems the current, only-defined 
algorithm for NSEC3 is SHA-1 (number 1) - citation follows:

*********************************
There are a number of different algorithm numbers in various DNSSEC
related records.

*  DNSSEC algorithm numbers appear in DNSKEY, RRSIG and DS records.
   This defines how signatures are generated and whether NSEC3 is
   permitted in the zone and well as which NSEC3 hash algorithms are
   allowed in the zone.
*  NSEC3 hash algorithm numbers appear in NSEC3 records.
   This defines the NSEC3 hash algorithm used to generate the NSEC3 record.
*  DS hash algorithm numbers appear in DS records.
   This defines the DS hash algorithm used to generate the DS record.

Note DS records have 2 algorithm numbers.

Zones signed with RSASHA1-NSEC3-SHA1 (7) are signed with RSA
signatures of the SHA1 hash of the RRset (RSASHA1).  The zone may
contain NSEC3 records and those NSEC3 records must be generated using
the SHA1 (1) hash algorithm.

The error message said you signed the zone with NSEC3 records
generated with hash algorithm 7.  There is no such algorithm defined
for NSEC3 records.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
****************************************************

Kind regards,
Antonio

> 
> > Anyways, is not algorithm 7 an alias for 5? Backward compatibility
> > issues should arise with 7 but not with 5? Or am I wrong?
> 
> Algorithm 7 is indeed an alias for 5. A resolver that understands
> algorithm 7 MUST support NSEC3. The backwards compatibility issue is
> when you sign your zone with NSEC3 and algorithm 5, a resolver that does
> not implement NSEC3 will not be able to validate denial of existence for
> that zone. Answers will be marked bogus. With algorithm 7, such
> resolvers will mark answers insecure.
> 
> Best regards,
>    Matthijs
> 
> > Regards,
> > Antonio
> > 
> > Quoting Matthijs Mekking:
> >  > Hi Antonio,
> >  > 
> >  > You should use algorithm 7, RSASHA1-NSEC3-SHA1. It's SHA1 for NSEC3.
> >  > 
> >  > Best regards,
> >  > 
> >  >   Matthijs
> >  > 
> >  > On 10/31/2012 11:16 AM, Antonio Marcos López Alonso wrote:
> >  >> Hi all,
> >  >> 
> >  >> I'm setting up a testing DNSSEC server using BIND 9.7.3 and
> >  >> OpenDNSSEC. I have
> >  >> succesfully signed a zone using ods and RSASHA1 (algorithm 5) for
> > 
> > NSEC3, but
> > 
> >  >> BIND complains refusing to load the zone:
> >  >> 
> >  >> warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash
> > 
> > algorithm: 5
> > 
> >  >> error: zone myzone.mydomain.org/IN: no supported nsec3 hash algorithm
> >  >> error: zone myzone.mydomain.org/IN: not loaded due to errors.
> >  >> 
> >  >> Someone told me BIND 9.7.3 supports RSASHA1 for NSEC3, as he
> >  >> succesfully signed and loaded the zone after using the dnstools, so
> >  >> I  would like someone
> >  >> to confirm this and to cast some light on why this error is being
> > 
> > issued.
> > 
> >  >> Thanks in advance,
> >  >> Antonio
> >  >> _______________________________________________
> >  >> Opendnssec-user mailing list
> >  >> Opendnssec-user at lists.opendnssec.org
> >  >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

**********************************
Antonio Marcos López Alonso

Servicio de Informática y
Telecomunicaciones

Instituto de Productos Naturales
y Agrobiología (IPNA-CSIC)

mailto:amla at ipna.csic.es
(+34) 922 260 190 (Ext. 237)
***********************************



More information about the Opendnssec-user mailing list