El Lunes 05 noviembre 2012 13:05:30 Mark Andrews escribió: > In message <201211051239.55119.a...@ipna.csic.es>, Antonio Marcos > =?utf-8?q?L=C > > 3=B3pez_Alonso?= writes: > > El Lunes 05 noviembre 2012 12:16:31 Mark Andrews escribiĆ³: > > > In message <201211051152.45367.a...@ipna.csic.es>, Antonio Marcos > > > =?iso-8859-1? > > > > > > q?L=F3pez_Alonso?= writes: > > > > Hi, > > > > > > > > I'm testing a DNSSEC server using BIND 9.7.3 and OpenDNSSEC. I have > > > > succesfully signed my local zone with ods tools and NSEC3 RSA/SHA1 > > > > (algorithm s > > > > 5 and 7, both being aliases), but BIND refuses to load the zone > > > > complaining these algorithms are not supported: > > > > > > > > general: warning: zone myzone.mydomain.org/IN: unsupported nsec3 hash > > > > algorithm: 7 > > > > > > The *only* defined hash algorithm for NSEC3 records is 1 (SHA-1). > > > http://www.iana.org/assignments/dnssec-nsec3-parameters > > > > > > 5 and 7 refer to DNSKEY algorithms. > > > > http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.x > > ml > > > > I'm a little bit confused here. If SHA-1 is the only defined hash > > algorithm for > > NSEC3, why algorithm 7 is listed as RSASHA1-NSEC3-SHA1 and does work in a > > command like: > > dnssec-keygen -r /dev/urandom āa NSEC3RSASHA1 āb 1024 > > myzone.mydomain.org > > > > Sorry in advance for the question but I'm still getting the nuts and > > bolts of > > DNSSEC. :-) > > > > Kind regards, > > Antonio > > There are a number of different algorithm numbers in various DNSSEC > related records. > > * DNSSEC algorithm numbers appear in DNSKEY, RRSIG and DS records. > This defines how signatures are generated and whether NSEC3 is > permitted in the zone and well as which NSEC3 hash algorithms are > allowed in the zone. > * NSEC3 hash algorithm numbers appear in NSEC3 records. > This defines the NSEC3 hash algorithm used to generate the NSEC3 record. > * DS hash algorithm numbers appear in DS records. > This defines the DS hash algorithm used to generate the DS record. > > Note DS records have 2 algorithm numbers. > > Zones signed with RSASHA1-NSEC3-SHA1 (7) are signed with RSA > signatures of the SHA1 hash of the RRset (RSASHA1). The zone *may* > contain NSEC3 records and those NSEC3 records must be generated using > the SHA1 (1) hash algorithm. > > The error message said you signed the zone with NSEC3 records > generated with hash algorithm 7. There is no such algorithm defined > for NSEC3 records. > > Mark
Clear as water. Thanks a lot for taking the time to point me out right! Kind regards, Antonio ********************************** Antonio Marcos López Alonso Servicio de Informática y Telecomunicaciones Instituto de Productos Naturales y Agrobiología (IPNA-CSIC) mailto:a...@ipna.csic.es (+34) 922 260 190 (Ext. 237) *********************************** _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
