DNSSEC - mismatch between algorithm and type of NSEC
Alan Clegg
aclegg at isc.org
Wed Dec 29 14:25:13 UTC 2010
On 12/29/2010 3:37 AM, Marc Lampo wrote:
> However, we now found the following case :
> 1) registrar offers us DNSKEY information with algorithm 7 :
> RSASHA1-NSEC3-SHA1
> 2) in the zone file, there are NSEC (and not NSEC3) records
This is not an error.
The only reason for there being "different" algorithm numbers within
RSASHA1 was to keep "older" systems that don't know about NSEC3 from
dealing with NSEC3 responses incorrectly.
All "newer" algorithms can be used for both NSEC and NSEC3.
AlanC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101229/cf77a223/attachment.bin>
More information about the bind-users
mailing list