[dnssec-deployment] Need Explanation.

Amir Haris Ahmad amir at lt.my
Wed Oct 7 22:17:08 EDT 2009 

On Thu, Oct 8, 2009 at 10:01 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Thu, 8 Oct 2009, Amir Haris Ahmad wrote:
>
>
>> Actually I got a few questions regarding DNSSEC.
>>
>> 1. I already done doing experiment with NSEC3RSASHA1(7) algorithm. If i'm
>> using the said algorithm, is it
>> i'm already using NSEC3? Because with that algorithm, my signed zone is
>> using algorithm 7 and still show
>> NSEC.
>>
>
> This happens if you re-use old dnssec records to create your zone and you
> switched DNSKEY algorithm.
> Try skipping the "re-using old records" phase.

Actually I'm create the new one and using dnssec-keygen with -a NSEC3RSASHA1
generating KSK & ZSK. After that using dnssec-signzone. Yes it appear to use
id 7 for the algorithm and NSEC appear but not as NSEC3.. just want to
confirm is it NSEC3

>
>
>  2. If I'm as a parents using NSEC3RSASHA1, so my childs need to use the
>> same algorithm? As i was testing
>> with nsupdate, which the children need to use the same algorithm in order
>> do send DS nsupdate.
>>
>
> No. You can use a different algorithm. The DS record specifies which
> algorithm to expect
> in the child zone.
>
By using nsupdate by sending DS with other algorithm e.g current
7-NSEC3RSASHA1  and sending 5-RSASHA1 the DS with RSASHA1 was not updated
but with NSEC3RSASHA1 yes it update the zone. I have not try with static
signing

>
>  3. How about the root server? which algorithm will be used? Let say the
>> root servers are using RSASHA1,
>> thus the other TLD need to use the same algorithm?
>>
>
> See many many  postings regarding what the root zone should use. I'm not
> touching that with an answer :)
>
>
>  Actually I'm from .my domain registry.
>>
>
> Cool. Let me know if you have updates for your entry on the map at
> http://www.xelerance.com/dnssec/
>
> Sure...

> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20091008/d9aeb7ce/attachment.html

More information about the Dnssec-deployment mailing list