In message <4c67047a.3020...@jason.roysdon.net>, Jason Roysdon writes: > > On 08/14/2010 12:43 AM, Matthew Seaman wrote: > > On 14/08/2010 02:08, Jason Roysdon wrote: > >> The problem I have is that my zone is using an NSEC3 and when BIND's > >> dnssec-signzone generates dsset files, it does so with algorithm 7. How > >> can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC) > >> as Neustar requires? > > > > Add a second KSK of the appropriate type to your zone, and register that > > upstream. It's perfectly normal to have several keys signing a zone and > > active -- the normal key rollover mechanisms rely on it. The standard > > says that up to 5 (I think) such keys must be supported. > > > > Cheers, > > > > Matthew > > > > I generated an NSEC algorithm 5 KSK and put an $INCLUDE for it in my > zone. I tried to sign the zone so it would start replicating the KSK, > and I get this error when signing: > > $ /usr/sbin/dnssec-signzone -g -k Kmyzone.us.+007+XXXXX.key -o myzone.us > myzone.us Kmyzone.+007+YYYYY > > dnssec-signzone: NSEC3 generation requested with NSEC only DNSKEY > > myzone.us zone has: > $INCLUDE Kmyzone.us.+007+XXXXX.key > $INCLUDE Kmyzone.us.+007+YYYYY.key > $INCLUDE Kmyzone.us.+005+ZZZZZ.key > > The error only occurs once I add the NSEC $INCLUDE. > > Looking at this error, it appears you cannot mix NSEC-only keys with NSEC3. > > Any other suggestions?
You need to switch from NSEC3 to NSEC. By default dnsec-signzone will do NSEC unless it finds a NSEC3PARAM RRset in the zone in which case it will use the one of the parameter sets found there for the NSEC3 chain generation. To switch use "dnssec-signzone -u" and don't specify any NSEC3 parameters. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
