[Pdns-users] pdnssec set-nsec3 question
Peter van Dijk
peter.van.dijk at netherlabs.nl
Mon Feb 3 19:23:05 UTC 2014
Hello Klaus,
On 03 Feb 2014, at 15:12 , Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
> From "man pdnssec":
>
> set-nsec3 ZONE 'params' [narrow]
> Sets NSEC3 parameters for this zone. A sample commandline is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow". The
> NSEC3 parameters must be quoted on the command line.
> WARNING:
> If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone!
>
>
> I do not understand the last sentence. 7 is an alias for 5 to reflect NSEC3 compatibility. Thus, if the algorithm is already 7, why is a DS update necessary? I would have expect a warning like "If using algorithm 3 or 5 you need to upgrade to algorithm 6 or 7 and update the corresponding DS record”.
If it is already 7, no update is necessary.
> Or does PowerDNS automatically change the announced algorithm from 5 to 7 when activating NSEC3?
Yes.
Kind regards,
--
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20140203/9e8616d9/attachment-0001.sig>
More information about the Pdns-users
mailing list