[nsd-users] NSD not serving DNSKEY requests if the key is =>2048 bits

Teran McKinney sega01 at gmail.com
Fri Aug 15 16:24:11 UTC 2008


Hi,

I have been trying to roll out DNSSEC onto a TLD in my public VPN and
two domains. I was hoping to do a 4096 bit KSK and 2048 bit ZSK, but
unfortunately NSD 3.1.1 seems to not serve DNSKEY requests if the key
is 2048 bits or more.

I tried generating RSASHA1 keys with bind's DNSSEC utilities and ldns'
utilities. A KSK and ZSK of 1024 or 1280 bits worked fine when
querying for DNSKEY. Simply changing the bit value to 2048 or 4096 and
resigining the zone seemed to stop NSD from serving DNSKEY requests,
however it still sent applicable RRSIG data if the DO flag was set. I
also tried generating RSAMD5 keys, but they had the same effect.

My configuration file is fairly standard, but perhaps there is an
option that I am missing?

ftp://icadyptes.go-beyond.org/icadyptes/abs/extra/daemons/nsd/ is my
build script. The only main difference between running the script's
build() directly and going through the normal build script parser is a
$CFLAGS setting. This is on a Arch Linux fork I am working on.

Any ideas as to what might be causing this, or should I give any more
information?

Thanks,
Teran (sega01)

PS: How well supported is SHA2 for DNSSEC? ldns optionally supports it
and I have read of some vulnerabilities with SHA1, so I would prefer
to use it.



More information about the nsd-users mailing list