Is it possible to use NSEC3 resource records with RSASHA256 keys or does NSEC3 require using NSEC3RSASHA1 or NSEC3DSA keys?
Asked
Active
Viewed 387 times
1 Answers
2
The reason why RSASHA1 was assigned a separate identifier for use together with NSEC3 is that RSASHA1 had been defined and already been in use for a long time before NSEC3 existed.
Thus, when introducing NSEC3 it was deemed best for compatibility with existing deployed software to not extend how RSASHA1 should work but to present the updated spec as an entirely new algorithm RSASHA1-NSEC3-SHA1 which existing software would clearly recognize that it did not support instead of incorrectly using its NSEC-only code with NSEC3 zones.
When later algorithms such as RSASHA256, ECDSAP256SHA256, etc have been introduced, these have included support for NSEC3 from the get-go.
As you can see in the listing of the assigned DNSSEC algorithms, there are no NSEC3 variations for any newer algorithms.
Håkan Lindqvist
- 35,461
-
1You get to finish this first and it has everything covered. Just wanted to add that RFC 6944 might also be interesting to read. – Esa Jokinen Jun 23 '17 at 11:35