El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribió: > In message <201211051152.45367.a...@ipna.csic.es>, Antonio Marcos > =?iso-8859-1? > > q?L=F3pez_Alonso?= writes: > > Hi, > > > > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have > > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1 > > (algorithm s > > 5 and 7, both being aliases), but BIND refuses to load the zone > > complaining these algorithms are not supported: > > > > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash > > algorithm: 7 > > The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1). > http://www.iana.org/assignments/dnssec-nsec3-parameters > > 5 and 7 refer to DNSKEY algorithms. > http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml
I'm a little bit confused here. If SHA-1 is the only defined hash algorithm for NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a command like: dnssec-keygen -r /dev/urandom –a NSEC3RSASHA1 –b 1024 myzone.mydomain.org Sorry in advance for the question but I'm still getting the nuts and bolts of DNSSEC. :-) Kind regards, Antonio _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
