[dnssec-deployment] Need Explanation.
Amir Haris Ahmad
amir at lt.my
Wed Oct 7 22:17:08 EDT 2009
On Thu, Oct 8, 2009 at 10:01 AM, Paul Wouters <paul at xelerance.com> wrote:
> On Thu, 8 Oct 2009, Amir Haris Ahmad wrote:
>> Actually I got a few questions regarding DNSSEC.
>> 1. I already done doing experiment with NSEC3RSASHA1(7) algorithm. If i'm
>> using the said algorithm, is it
>> i'm already using NSEC3? Because with that algorithm, my signed zone is
>> using algorithm 7 and still show
> This happens if you re-use old dnssec records to create your zone and you
> switched DNSKEY algorithm.
> Try skipping the "re-using old records" phase.
Actually I'm create the new one and using dnssec-keygen with -a NSEC3RSASHA1
generating KSK & ZSK. After that using dnssec-signzone. Yes it appear to use
id 7 for the algorithm and NSEC appear but not as NSEC3.. just want to
confirm is it NSEC3
> 2. If I'm as a parents using NSEC3RSASHA1, so my childs need to use the
>> same algorithm? As i was testing
>> with nsupdate, which the children need to use the same algorithm in order
>> do send DS nsupdate.
> No. You can use a different algorithm. The DS record specifies which
> algorithm to expect
> in the child zone.
By using nsupdate by sending DS with other algorithm e.g current
7-NSEC3RSASHA1 and sending 5-RSASHA1 the DS with RSASHA1 was not updated
but with NSEC3RSASHA1 yes it update the zone. I have not try with static
> 3. How about the root server? which algorithm will be used? Let say the
>> root servers are using RSASHA1,
>> thus the other TLD need to use the same algorithm?
> See many many postings regarding what the root zone should use. I'm not
> touching that with an answer :)
> Actually I'm from .my domain registry.
> Cool. Let me know if you have updates for your entry on the map at
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dnssec-deployment