[dnssec-deployment] Need Explanation.
Mark Andrews
marka at isc.org
Wed Oct 7 22:39:45 EDT 2009
In message <list-18100655 at execdsl.com>, Paul Wouters writes:
> On Thu, 8 Oct 2009, Amir Haris Ahmad wrote:
>
> >
> > Actually I got a few questions regarding DNSSEC.
> >
> > 1. I already done doing experiment with NSEC3RSASHA1(7) algorithm. If i'm u
> sing the said algorithm, is it
> > i'm already using NSEC3? Because with that algorithm, my signed zone is usi
> ng algorithm 7 and still show
> > NSEC.
>
> This happens if you re-use old dnssec records to create your zone and you swi
> tched DNSKEY algorithm.
> Try skipping the "re-using old records" phase.
No. The choice of whether to use NSEC or NSEC3 is one for the
operator. NSEC3RSASHA1 does not imply NSEC3 is in use. It implies
that NSEC3 *may* be in use.
NSEC3 should not be used unless there is a good reason to use it.
Most zones don't need it and leaf reverse zones never need it as
there is too much structure in them for the hashing to prevent
enumeration and there are no delegtions so optout doesn't do anything.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment
mailing list