Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

DNSSEC DS record generation for DOT-US from NSEC3 signed-zone

171 views

Skip to first unread message

Jason Roysdon

unread,

Aug 13, 2010, 9:08:12 PM8/13/10

to bind-...@lists.isc.org

I am working on getting my DS record added to the DOT-US zone with
Neustar. In doing so, I found out they have a limitation of only
supporting algorithm 3, which is DSA/SHA1, or algorithm 5, which is
RSA/SHA1:
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

They do not support algorithm 7, which is RSASHA1-NSEC3-SHA1. So when I
sent them my DS keys, they added them as algorithm 3, which of course
didn't work and reported bogus DS records, so they pulled the record
back out.

The problem I have is that my zone is using an NSEC3 and when BIND's
dnssec-signzone generates dsset files, it does so with algorithm 7. How
can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC)
as Neustar requires?

Thanks,

Jason Roysdon
http://jason.roysdon.net/

Jason Roysdon

unread,

Aug 14, 2010, 5:02:50 PM8/14/10

to bind-...@lists.isc.org

On 08/14/2010 12:43 AM, Matthew Seaman wrote:

> On 14/08/2010 02:08, Jason Roysdon wrote:
>> The problem I have is that my zone is using an NSEC3 and when BIND's
>> dnssec-signzone generates dsset files, it does so with algorithm 7. How
>> can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC)
>> as Neustar requires?
>

> Add a second KSK of the appropriate type to your zone, and register that
> upstream. It's perfectly normal to have several keys signing a zone and
> active -- the normal key rollover mechanisms rely on it. The standard
> says that up to 5 (I think) such keys must be supported.
>
> Cheers,
>
> Matthew
>

I generated an NSEC algorithm 5 KSK and put an $INCLUDE for it in my
zone. I tried to sign the zone so it would start replicating the KSK,
and I get this error when signing:

$ /usr/sbin/dnssec-signzone -g -k Kmyzone.us.+007+XXXXX.key -o myzone.us
myzone.us Kmyzone.+007+YYYYY

dnssec-signzone: NSEC3 generation requested with NSEC only DNSKEY

myzone.us zone has:
$INCLUDE Kmyzone.us.+007+XXXXX.key
$INCLUDE Kmyzone.us.+007+YYYYY.key
$INCLUDE Kmyzone.us.+005+ZZZZZ.key

The error only occurs once I add the NSEC $INCLUDE.

Looking at this error, it appears you cannot mix NSEC-only keys with NSEC3.

Any other suggestions?

Jason Roysdon
http://jason.roysdon.net/

Mark Andrews

unread,

Aug 15, 2010, 10:34:40 PM8/15/10

to Jason Roysdon, bind-...@isc.org

You need to switch from NSEC3 to NSEC. By default dnsec-signzone
will do NSEC unless it finds a NSEC3PARAM RRset in the zone in which
case it will use the one of the parameter sets found there for the
NSEC3 chain generation.

To switch use "dnssec-signzone -u" and don't specify any NSEC3
parameters.

Mark

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

0 new messages