On 08/14/2010 12:43 AM, Matthew Seaman wrote: > On 14/08/2010 02:08, Jason Roysdon wrote: >> The problem I have is that my zone is using an NSEC3 and when BIND's >> dnssec-signzone generates dsset files, it does so with algorithm 7. How >> can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC) >> as Neustar requires? > > Add a second KSK of the appropriate type to your zone, and register that > upstream. It's perfectly normal to have several keys signing a zone and > active -- the normal key rollover mechanisms rely on it. The standard > says that up to 5 (I think) such keys must be supported. > > Cheers, > > Matthew >
I generated an NSEC algorithm 5 KSK and put an $INCLUDE for it in my zone. I tried to sign the zone so it would start replicating the KSK, and I get this error when signing: $ /usr/sbin/dnssec-signzone -g -k Kmyzone.us.+007+XXXXX.key -o myzone.us myzone.us Kmyzone.+007+YYYYY dnssec-signzone: NSEC3 generation requested with NSEC only DNSKEY myzone.us zone has: $INCLUDE Kmyzone.us.+007+XXXXX.key $INCLUDE Kmyzone.us.+007+YYYYY.key $INCLUDE Kmyzone.us.+005+ZZZZZ.key The error only occurs once I add the NSEC $INCLUDE. Looking at this error, it appears you cannot mix NSEC-only keys with NSEC3. Any other suggestions? Jason Roysdon http://jason.roysdon.net/ _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
