In message <20161016223109.6856756c8...@rock.dv.isc.org>, Mark Andrews writes:
>
> In message
> <can6ntqxxnyik75rf1e9fkch3cb8d5fqf6hkswxtxk_gyxcq...@mail.gmail.com>,
> =?UTF-8?B?w5NsYWZ1ciBHdcOwbXVuZHNzb24=?= writes:
> > I will be happy to do that, stay tuned as I need to create a special
> > signer for it :-)
> >
> > Olafur
>
> dnssec-signzone + awk + dnssec-dsfromkey works well.
>
> e.g.
> awk '$4 == "RRSIG" && $6 == 8 { $6 = 99 }
> $4 == "DNSKEY" && $7 == 8 { $7 = 99}
> { print }'
>
> Mark
Which by the way is what we do in our system tests for BIND 9.
#
# A zone with a unknown DNSKEY algorithm.
# Algorithm 7 is replaced by 100 in the zone and dsset.
#
zone=dnskey-unknown.example.
infile=dnskey-unknown.example.db.in
zonefile=dnskey-unknown.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile >
/dev/null 2>&1
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } {
print }' ${zonefile}.tmp > ${zonefile}.signed
$DSFROMKEY -A -f ${zonefile}.signed $zone > dsset-${zone}
>
> > On Sun, Oct 16, 2016 at 4:16 AM, Mikael Abrahamsson <swm...@swm.pp.se>
> > wrote:
> >
> > > On Sat, 15 Oct 2016, =C3=93lafur Gu=C3=B0mundsson wrote:
> > >
> > > I have domains signed by all combinations of signing algorithms and DS
> > >> digests as well as Nsec variants
> > >> Ds-n.alg-m-nsec.dnssec-test.org
> > >>
> > >> Replace n with 1..4
> > >> M with 1..14
> > >> Nsec is one of Nsec nsec3 none
> > >>
> > >
> > > I'd be veryinterested if you could create an algorithm called "99" (or
> > > something), and we could test that. Anyone not loading the "99" resource =
> > is
> > > violating the "SHOULD", even if they understand ECDSA.
> > >
> > > This would investigate ratio of problems when we want to introduce a new
> > > algorithm in the future.
> > >
> > >
> > > --
> > > Mikael Abrahamsson email: swm...@swm.pp.se
> > >
> >
> > --94eb2c0cd28c3de9dd053efdf57f
> > Content-Type: text/html; charset=UTF-8
> > Content-Transfer-Encoding: quoted-printable
> >
> > <div dir=3D"ltr">I will be happy to do that, =C2=A0stay tuned as I need to =
> > create a special signer for it :-)=C2=A0<div><br></div><div>Olafur</div><di=
> > v><br></div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote"=
> > >On Sun, Oct 16, 2016 at 4:16 AM, Mikael Abrahamsson <span dir=3D"ltr"><=
> > <a href=3D"mailto:swm...@swm.pp.se"; target=3D"_blank">swm...@swm.pp.se</a>&=
> > gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 =
> > 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=3D"">On Sat=
> > , 15 Oct 2016, =C3=93lafur Gu=C3=B0mundsson wrote:<br>
> > <br>
> > <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
> > x #ccc solid;padding-left:1ex">
> > I have domains signed by all combinations of signing algorithms and DS<br>
> > digests as well as Nsec variants<br>
> > <a href=3D"http://Ds-n.alg-m-nsec.dnssec-test.org"; rel=3D"noreferrer" targe=
> > t=3D"_blank">Ds-n.alg-m-nsec.dnssec-test.or<wbr>g</a><br>
> > <br>
> > Replace n with 1..4<br>
> > M with 1..14<br>
> > Nsec is one of Nsec nsec3 none<br>
> > </blockquote>
> > <br></span>
> > I'd be veryinterested if you could create an algorithm called "99&=
> > quot; (or something), and we could test that. Anyone not loading the "=
> > 99" resource is violating the "SHOULD", even if they underst=
> > and ECDSA.<br>
> > <br>
> > This would investigate ratio of problems when we want to introduce a new al=
> > gorithm in the future.<div class=3D"HOEnZb"><div class=3D"h5"><br>
> > <br>
> > -- <br>
> > Mikael Abrahamsson=C2=A0 =C2=A0 email: <a href=3D"mailto:swm...@swm.pp.se"; =
> > target=3D"_blank">swm...@swm.pp.se</a></div></div></blockquote></div><br></=
> > div>
> >
> > --94eb2c0cd28c3de9dd053efdf57f--
> >
> >
> > --===============9042271128241020298==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> >
> > --===============9042271128241020298==--
> >
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
