DNSSEC DS record generation for DOT-US from NSEC3 signed-zone
Jason Roysdon
bind-users.20100813 at jason.roysdon.net
Sat Aug 14 01:08:12 UTC 2010
I am working on getting my DS record added to the DOT-US zone with
Neustar. In doing so, I found out they have a limitation of only
supporting algorithm 3, which is DSA/SHA1, or algorithm 5, which is
RSA/SHA1:
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
They do not support algorithm 7, which is RSASHA1-NSEC3-SHA1. So when I
sent them my DS keys, they added them as algorithm 3, which of course
didn't work and reported bogus DS records, so they pulled the record
back out.
The problem I have is that my zone is using an NSEC3 and when BIND's
dnssec-signzone generates dsset files, it does so with algorithm 7. How
can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC)
as Neustar requires?
Thanks,
Jason Roysdon
http://jason.roysdon.net/
More information about the bind-users
mailing list