-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/05/2012 11:20 AM, Georg Sluyterman wrote: > On 2012-07-05, at 10:45, Matthijs Mekking wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> Hi, >> >> On 07/05/2012 10:27 AM, Sander Smeenk wrote: >>> Quoting Georg Sluyterman ([email protected]): >>> > <---cut---> >>>> When i choose an algorithm type for NSEC3 it seems that only >>>> key type 1 is allowed and not e.g. 5 or 7, although key type >>>> 1 is deprecated according to IANA >>>> (http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.txt). >>>> >>>> >> >>>> Is this about to change, or is there some reason why this is the case? >>> >>> No idea. :) >> >> >> The number 1 refers to the NSEC3 hash algorithm type. Only SHA-1 >> is defined (1). I think you are confusing it with the DNSKEY >> algorithm numbers, which should be set in the <Keys> section. If >> you want to use NSEC3, you want to do 7. >> > > > Okay. > > Would i work with NSEC3 if i choose e.g. 8 (RSA/SHA-256) for <Key> > for zsk and ksk? >
Yes. The use of the SHA-2 algorithm family signals that there exists NSEC3 support. Best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP9Zf+AAoJEA8yVCPsQCW5BggIAIlDws/07OyWYGvl54c9GB+6 IjTTaK9WDZoxxNpRczy8WOoU1Qj8x2f21yhAdXzlSMS4cxNkH9FUx9lZfkDXZeQA dEXMPw1ceQPOy1fsHyjRDnQ4WNGnMAt2SyTo8fZiOa9QLE245ZF5nG8dESE7Gv5J g7ouYu8RNLOcTj/BdoLMj4uYpsNFl6CdH2qJntKJcKuZLmDbRBYjfU4t2PVvkv+A vcK9JQuVaqKpxtgqSljscoB5D2LnYOtdtFWvfwLgFT0T9KGVufW9+BVj9rAgFKFy aBkkQaT7nQ67g7cChFWjRteQBDucYGRySldr2H2CLebrMUNyNH4B+9rDYudEXq4= =SqCQ -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
