Teran McKinney
2008-Aug-15 16:24 UTC
[nsd-users] NSD not serving DNSKEY requests if the key is =>2048 bits
Hi, I have been trying to roll out DNSSEC onto a TLD in my public VPN and two domains. I was hoping to do a 4096 bit KSK and 2048 bit ZSK, but unfortunately NSD 3.1.1 seems to not serve DNSKEY requests if the key is 2048 bits or more. I tried generating RSASHA1 keys with bind's DNSSEC utilities and ldns' utilities. A KSK and ZSK of 1024 or 1280 bits worked fine when querying for DNSKEY. Simply changing the bit value to 2048 or 4096 and resigining the zone seemed to stop NSD from serving DNSKEY requests, however it still sent applicable RRSIG data if the DO flag was set. I also tried generating RSAMD5 keys, but they had the same effect. My configuration file is fairly standard, but perhaps there is an option that I am missing? ftp://icadyptes.go-beyond.org/icadyptes/abs/extra/daemons/nsd/ is my build script. The only main difference between running the script's build() directly and going through the normal build script parser is a $CFLAGS setting. This is on a Arch Linux fork I am working on. Any ideas as to what might be causing this, or should I give any more information? Thanks, Teran (sega01) PS: How well supported is SHA2 for DNSSEC? ldns optionally supports it and I have read of some vulnerabilities with SHA1, so I would prefer to use it.
Ondřej Surý
2008-Aug-15 17:36 UTC
[nsd-users] NSD not serving DNSKEY requests if the key is =>2048 bits
How big is the result packet? Did you try dig with +tcp flag? (EDNS0 should be enabled when you use +dnssec, but adding +edns=0 doesn't hurt anyway). Ondrej. 2008/8/15 Teran McKinney <sega01 at gmail.com>:> Hi, > > I have been trying to roll out DNSSEC onto a TLD in my public VPN and > two domains. I was hoping to do a 4096 bit KSK and 2048 bit ZSK, but > unfortunately NSD 3.1.1 seems to not serve DNSKEY requests if the key > is 2048 bits or more. > > I tried generating RSASHA1 keys with bind's DNSSEC utilities and ldns' > utilities. A KSK and ZSK of 1024 or 1280 bits worked fine when > querying for DNSKEY. Simply changing the bit value to 2048 or 4096 and > resigining the zone seemed to stop NSD from serving DNSKEY requests, > however it still sent applicable RRSIG data if the DO flag was set. I > also tried generating RSAMD5 keys, but they had the same effect. > > My configuration file is fairly standard, but perhaps there is an > option that I am missing? > > ftp://icadyptes.go-beyond.org/icadyptes/abs/extra/daemons/nsd/ is my > build script. The only main difference between running the script's > build() directly and going through the normal build script parser is a > $CFLAGS setting. This is on a Arch Linux fork I am working on. > > Any ideas as to what might be causing this, or should I give any more > information? > > Thanks, > Teran (sega01) > > PS: How well supported is SHA2 for DNSSEC? ldns optionally supports it > and I have read of some vulnerabilities with SHA1, so I would prefer > to use it. > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/nsd-users >-- ?Ond?ej Sur? <ondrej at sury.org>