[Opendnssec-develop] Algorithm Type and NSEC/NSEC3

Rickard Bondesson rickard.bondesson at iis.se
Thu Jul 9 13:17:58 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

To summerize my suggestion:

Change the meening of Policy/Keys/KSK/Algorithm and Policy/Keys/ZSK/Algorithm from algorithm type (currently 1, 5, and 7) to the algorithm name representing the signing mechanism (e.g. RSASHA1 and RSAMD5 or something similar). So that it does not specify anything about NSEC/NSEC3 in the KASP policy for the key.

When a key-pair is assigned to a zone within the Enforcer, it will be get the correct algorithm type according to the denial type in the current policy in combination with the RSASHA1 or RSAMD5.

NSEC + MD5 = 1
NSEC + RSASHA1 = 5
NSEC3 + RSASHA1 = 7

The Signer Engine will still get 1, 5, or 7 in the signconf.xml from the communicated. So we should still be able to change policies (e.g. going from NSEC to NSEC3), since the key-pair itself will remember its own algorithm type.

So the change is only in kasp.xml (.rnc) and when assigning a key-pair to a zone in the KASP database. To make it easier for the user.

// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSlXuBuCjgaNTdVjaAQg0Ogf+LsMXqvx2yEjUCwlDCvYykaRSn/yUQSJT
g29bg0xDivRbs1vbHd0lk49/ykwyprhndzX3pk7g2pRUiTD2ij48pf9+o+piaUvt
0Y0xMrfdtLv4Ml4vxFnVrZCHV6ro9OWuRAhQrPJIfBQ0JfePZnWm+5t5IBczl0Cx
aMQAbOT5CQVrUzZYTIf6w2GvA3CYLZ5r3OZoY4JwqFCVQWah/dyPWZpzoRFHWLw8
XulXQ0e/Z+zK0DA9hZyRLCzNVRHKmYErNACoHaf68Pte+NLUKS2yvFLYMSoSWk8B
9Q39vrLGoBzTKcxig+TvyeW+4Wq+54IM2Eew4VLm3Xbi9v6qes0pJA==
=sW3z
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list