#4261 Not able to choose NSEC or NSEC3 while generating DNSSEC-keys

1.630
open
nobody
None
5
2013-06-23
2013-06-22
JohnD8963
No

In addition to my previous ticket, please add also the remaining possible algorithms and make it possible for the NSEC3 compatible algorithms to choose for NSEC3 when generating DNSSEC-keys (dnssec-keygen in the background I suppose).
The man-page for dnssec-keygen provides all the info regarding algorithms and NSEC/NSEC3.

Discussion

  • Jamie Cameron
    Jamie Cameron
    2013-06-23

    I'm not too familar with NSEC3 .. what are the new algorithms?

     
  • JohnD8963
    JohnD8963
    2013-06-23

    As far as I understand from the man-page of dnssec-keygen these are the algorithms when using the -a option in the command :
    For DNSSEC keys, the value of algorithm must be one of RSAMD5, RSASHA1, DSA,NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.

    Then there is the -3 option for NSEC3 :
    Use an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms are NSEC3-capable.

    So, where I am looking for in webmin is to set the algorithm to i.e. RSASHA256 and be able to choose for NSEC of NSEC3 (which means without -3 option or with -3 option respectively to be used in the dnssec-keygen command). The same goes for RSASHA512 and ECCGOST.