[Pdns-users] pdnssec set-nsec3 question
klaus.mailinglists at pernau.at
Mon Feb 3 14:12:05 UTC 2014
From "man pdnssec":
set-nsec3 ZONE 'params' [narrow]
Sets NSEC3 parameters for this zone. A sample
commandline is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow". The
NSEC3 parameters must be quoted on the command line.
If running in RSASHA1 mode (algorithm 5 or 7), switching
from NSEC to NSEC3 will require a DS update at the parent zone!
I do not understand the last sentence. 7 is an alias for 5 to reflect
NSEC3 compatibility. Thus, if the algorithm is already 7, why is a DS
update necessary? I would have expect a warning like "If using algorithm
3 or 5 you need to upgrade to algorithm 6 or 7 and update the
corresponding DS record".
Or does PowerDNS automatically change the announced algorithm from 5 to
7 when activating NSEC3?
More information about the Pdns-users