[Opendnssec-develop] SHA-2 keys mixed up

Alex Dalitz AlexD at nominet.org.uk
Thu Apr 29 15:26:09 UTC 2010

It looks like the signing was done exactly the other way around.

I can confirm that the Auditor switch the algorithms around during this check. The signer does what it should.

Alex, is it possible to fix before rc2?

Hang on...

The Auditor requirements state :

For each signed domain chosen for verification, the KA should check that:

  1.  There is an RRSIG record for each algorithm for which there is a DNSKEY RR (unless the domain is glue, an unsigned delegation or out of zone) [E]


In this case, there isn’t an RRSIG for algorithm 8 – only one for algorithm 10. So the auditor is simply pointing that out.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100429/ffaffbd5/attachment.htm>

More information about the Opendnssec-develop mailing list