DNSSEC DS record generation for DOT-US from NSEC3 signed-zone
Mark Andrews
marka at isc.org
Mon Aug 16 02:34:40 UTC 2010
In message <4C67047A.3020402 at jason.roysdon.net>, Jason Roysdon writes:
>
> On 08/14/2010 12:43 AM, Matthew Seaman wrote:
> > On 14/08/2010 02:08, Jason Roysdon wrote:
> >> The problem I have is that my zone is using an NSEC3 and when BIND's
> >> dnssec-signzone generates dsset files, it does so with algorithm 7. How
> >> can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC)
> >> as Neustar requires?
> >
> > Add a second KSK of the appropriate type to your zone, and register that
> > upstream. It's perfectly normal to have several keys signing a zone and
> > active -- the normal key rollover mechanisms rely on it. The standard
> > says that up to 5 (I think) such keys must be supported.
> >
> > Cheers,
> >
> > Matthew
> >
>
> I generated an NSEC algorithm 5 KSK and put an $INCLUDE for it in my
> zone. I tried to sign the zone so it would start replicating the KSK,
> and I get this error when signing:
>
> $ /usr/sbin/dnssec-signzone -g -k Kmyzone.us.+007+XXXXX.key -o myzone.us
> myzone.us Kmyzone.+007+YYYYY
>
> dnssec-signzone: NSEC3 generation requested with NSEC only DNSKEY
>
> myzone.us zone has:
> $INCLUDE Kmyzone.us.+007+XXXXX.key
> $INCLUDE Kmyzone.us.+007+YYYYY.key
> $INCLUDE Kmyzone.us.+005+ZZZZZ.key
>
> The error only occurs once I add the NSEC $INCLUDE.
>
> Looking at this error, it appears you cannot mix NSEC-only keys with NSEC3.
>
> Any other suggestions?
You need to switch from NSEC3 to NSEC. By default dnsec-signzone
will do NSEC unless it finds a NSEC3PARAM RRset in the zone in which
case it will use the one of the parameter sets found there for the
NSEC3 chain generation.
To switch use "dnssec-signzone -u" and don't specify any NSEC3
parameters.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list