[Pdns-users] pdnssec set-nsec3 question

Klaus Darilion klaus.mailinglists at pernau.at
Mon Feb 3 14:12:05 UTC 2014


 From "man pdnssec":

        set-nsec3 ZONE 'params' [narrow]
               Sets  NSEC3  parameters  for this zone. A sample 
commandline is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow". The
               NSEC3 parameters must be quoted on the command line.
               If running in RSASHA1 mode (algorithm 5 or 7), switching 
from NSEC to NSEC3 will require a DS update at the parent zone!

I do not understand the last sentence. 7 is an alias for 5 to reflect 
NSEC3 compatibility. Thus, if the algorithm is already 7, why is a DS 
update necessary? I would have expect a warning like "If using algorithm 
3 or 5 you need to upgrade to algorithm 6 or 7 and update the 
corresponding DS record".

Or does PowerDNS automatically change the announced algorithm from 5 to 
7 when activating NSEC3?


More information about the Pdns-users mailing list