nsec3 in bind 9.7
Paul Wouters
paul at xelerance.com
Sat Feb 20 01:40:07 UTC 2010
On Fri, 19 Feb 2010, Shane W wrote:
>> algorithm of 1 means use SHA-1 for hashing names; flags of 1 means opt-out
>> and 0 means no opt-out; iterations indicates how many times to repeat the
>
> Hmm, when attempting to add a nsec3param via nsupdate, I
> get:
> NSEC only DNSKEYs and NSEC3 chains not allowed
You have likely got RSASHA1 DNSKEY's. For RSASHA1, the DNSKEY with
NSEC3 support has a different algorithm number (for newer type keys,
like RSASHA256, these are no longer separate algorithm numbers).
You would need to roll over your key first to a new algorithm, NSEC3RSASHA1.
(or start from scratch with NSEC3RSASHA1 type DNSKEY's if this is
a testing zone)
By the way, unless your zone is very large (TLD size), NSEC3 will not
give you much extras, and it is recommended for small zones not to use
it to keep debugging easier on humans, and to avoid expensive hashing
on the resolvers.
Paul
More information about the bind-users
mailing list