[Opendnssec-develop] Algorithm Type and NSEC/NSEC3
Jakob Schlyter
jakob at kirei.se
Thu Jul 9 19:01:53 UTC 2009
first I'd like to note that the type of the key (in the HSM context)
is indeed separate from what type of signatures we choose to create
with that key. currently we say that a key is of a type (e.g. 7) which
not only indicates that the key is an RSA key, but also that we should
do generate SHA1 based signatures and that we are using NSEC3.
for post 1.0 releases, we may reconsider this. we could choose to
indicate that a key is RSA and add something to the <Signatures>
element that indicates that we want to generated SHA1 signatures. if
it is NSEC3 or NSEC can be derived from the <Denial> element. this is
much more elaborate, but I believe it is worth considering.
for the first release we keep the numerical algorithm identifier. we
may want to allow mnemonics as described in the IANA registry[1], but
I'm not sure about that. the current XML schema only allows integers
and if we change that code must be added to both the enforcer and to
the signer engine.
jakob
[1] http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
More information about the Opendnssec-develop
mailing list