BIND 9.7.3 and NSEC3 hash algorithms 5 & 7 (RSA/SHA-1)

Mon Nov 5 13:17:50 UTC 2012

El Lunes 05 noviembre 2012 13:05:30 Mark Andrews escribió:
> In message <201211051239.55119.amla at ipna.csic.es>, Antonio Marcos
> =?utf-8?q?L=C
> 
> 3=B3pez_Alonso?= writes:
> > El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribiĆ³:
> > > In message <201211051152.45367.amla at ipna.csic.es>, Antonio Marcos
> > > =?iso-8859-1?
> > > 
> > > q?L=F3pez_Alonso?= writes:
> > > > Hi,
> > > > 
> > > > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have
> > > > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1
> > > > (algorithm s
> > > > 5 and 7, both being aliases), but BIND refuses to load the zone
> > > > complaining these algorithms are not supported:
> > > > 
> > > > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash
> > > > algorithm: 7
> > > 
> > > The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1).
> > > http://www.iana.org/assignments/dnssec-nsec3-parameters
> > > 
> > > 5 and 7 refer to DNSKEY algorithms.
> > 
> > http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.x
> > ml
> > 
> > I'm a little bit confused here. If SHA-1 is the only defined hash
> > algorithm for
> > NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a
> > command like:
> > dnssec-keygen -r /dev/urandom ā€“a NSEC3RSASHA1 ā€“b 1024
> > myzone.mydomain.org
> > 
> > Sorry in advance for the question but I'm still getting the nuts and
> > bolts of
> > DNSSEC. :-)
> > 
> > Kind regards,
> > Antonio
> 
> There are a number of different algorithm numbers in various DNSSEC
> related records.
> 
> *  DNSSEC algorithm numbers appear in DNSKEY, RRSIG and DS records.
>    This defines how signatures are generated and whether NSEC3 is
>    permitted in the zone and well as which NSEC3 hash algorithms are
>    allowed in the zone.
> *  NSEC3 hash algorithm numbers appear in NSEC3 records.
>    This defines the NSEC3 hash algorithm used to generate the NSEC3 record.
> *  DS hash algorithm numbers appear in DS records.
>    This defines the DS hash algorithm used to generate the DS record.
> 
> Note DS records have 2 algorithm numbers.
> 
> Zones signed with RSASHA1-NSEC3-SHA1 (7) are signed with RSA
> signatures of the SHA1 hash of the RRset (RSASHA1).  The zone *may*
> contain NSEC3 records and those NSEC3 records must be generated using
> the SHA1 (1) hash algorithm.
> 
> The error message said you signed the zone with NSEC3 records
> generated with hash algorithm 7.  There is no such algorithm defined
> for NSEC3 records.
> 
> Mark

Clear as water. Thanks a lot for taking the time to point me out right!

Kind regards,
Antonio
**********************************
Antonio Marcos López Alonso

Servicio de Informática y
Telecomunicaciones

Instituto de Productos Naturales
y Agrobiología (IPNA-CSIC)

mailto:amla at ipna.csic.es
(+34) 922 260 190 (Ext. 237)
***********************************