[Pdns-users] pdnssec set-nsec3 question

Peter van Dijk peter.van.dijk at netherlabs.nl
Mon Feb 3 19:23:05 UTC 2014

Hello Klaus,

On 03 Feb 2014, at 15:12 , Klaus Darilion <klaus.mailinglists at pernau.at> wrote:

> From "man pdnssec":
>       set-nsec3 ZONE 'params' [narrow]
>              Sets  NSEC3  parameters  for this zone. A sample commandline is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow". The
>              NSEC3 parameters must be quoted on the command line.
>              WARNING:
>              If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone!
> I do not understand the last sentence. 7 is an alias for 5 to reflect NSEC3 compatibility. Thus, if the algorithm is already 7, why is a DS update necessary? I would have expect a warning like "If using algorithm 3 or 5 you need to upgrade to algorithm 6 or 7 and update the corresponding DS record”.

If it is already 7, no update is necessary.

> Or does PowerDNS automatically change the announced algorithm from 5 to 7 when activating NSEC3?


Kind regards,
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140203/9e8616d9/attachment-0001.sig>

More information about the Pdns-users mailing list