I am working on getting my DS record added to the DOT-US zone with Neustar. In doing so, I found out they have a limitation of only supporting algorithm 3, which is DSA/SHA1, or algorithm 5, which is RSA/SHA1: http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
They do not support algorithm 7, which is RSASHA1-NSEC3-SHA1. So when I sent them my DS keys, they added them as algorithm 3, which of course didn't work and reported bogus DS records, so they pulled the record back out. The problem I have is that my zone is using an NSEC3 and when BIND's dnssec-signzone generates dsset files, it does so with algorithm 7. How can I generate DS records with NSEC3 keys, for algorithm 3 or 5 (NSEC) as Neustar requires? Thanks, Jason Roysdon http://jason.roysdon.net/ _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
