[nsd-users] NSD not serving DNSKEY requests if the key is =>2048 bits

Ondřej Surý ondrej at sury.org
Fri Aug 15 17:36:14 UTC 2008

How big is the result packet?

Did you try dig with +tcp flag? (EDNS0 should be enabled when you use
+dnssec, but adding +edns=0 doesn't hurt anyway).


2008/8/15 Teran McKinney <sega01 at gmail.com>:
> Hi,
> I have been trying to roll out DNSSEC onto a TLD in my public VPN and
> two domains. I was hoping to do a 4096 bit KSK and 2048 bit ZSK, but
> unfortunately NSD 3.1.1 seems to not serve DNSKEY requests if the key
> is 2048 bits or more.
> I tried generating RSASHA1 keys with bind's DNSSEC utilities and ldns'
> utilities. A KSK and ZSK of 1024 or 1280 bits worked fine when
> querying for DNSKEY. Simply changing the bit value to 2048 or 4096 and
> resigining the zone seemed to stop NSD from serving DNSKEY requests,
> however it still sent applicable RRSIG data if the DO flag was set. I
> also tried generating RSAMD5 keys, but they had the same effect.
> My configuration file is fairly standard, but perhaps there is an
> option that I am missing?
> ftp://icadyptes.go-beyond.org/icadyptes/abs/extra/daemons/nsd/ is my
> build script. The only main difference between running the script's
> build() directly and going through the normal build script parser is a
> $CFLAGS setting. This is on a Arch Linux fork I am working on.
> Any ideas as to what might be causing this, or should I give any more
> information?
> Thanks,
> Teran (sega01)
> PS: How well supported is SHA2 for DNSSEC? ldns optionally supports it
> and I have read of some vulnerabilities with SHA1, so I would prefer
> to use it.
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users

Ondřej Surý <ondrej at sury.org>

More information about the nsd-users mailing list