[dnssec-deployment] Need Explanation.
Paul Wouters
paul at xelerance.com
Wed Oct 7 22:01:40 EDT 2009
On Thu, 8 Oct 2009, Amir Haris Ahmad wrote:
>
> Actually I got a few questions regarding DNSSEC.
>
> 1. I already done doing experiment with NSEC3RSASHA1(7) algorithm. If i'm using the said algorithm, is it
> i'm already using NSEC3? Because with that algorithm, my signed zone is using algorithm 7 and still show
> NSEC.
This happens if you re-use old dnssec records to create your zone and you switched DNSKEY algorithm.
Try skipping the "re-using old records" phase.
> 2. If I'm as a parents using NSEC3RSASHA1, so my childs need to use the same algorithm? As i was testing
> with nsupdate, which the children need to use the same algorithm in order do send DS nsupdate.
No. You can use a different algorithm. The DS record specifies which algorithm to expect
in the child zone.
> 3. How about the root server? which algorithm will be used? Let say the root servers are using RSASHA1,
> thus the other TLD need to use the same algorithm?
See many many postings regarding what the root zone should use. I'm not touching that with an answer :)
> Actually I'm from .my domain registry.
Cool. Let me know if you have updates for your entry on the map at http://www.xelerance.com/dnssec/
Paul
More information about the Dnssec-deployment
mailing list