[Opendnssec-develop] SHA-2 keys mixed up
AlexD at nominet.org.uk
Thu Apr 29 17:26:09 CEST 2010
It looks like the signing was done exactly the other way around.
I can confirm that the Auditor switch the algorithms around during this check. The signer does what it should.
Alex, is it possible to fix before rc2?
The Auditor requirements state :
For each signed domain chosen for verification, the KA should check that:
1. There is an RRSIG record for each algorithm for which there is a DNSKEY RR (unless the domain is glue, an unsigned delegation or out of zone) [E]
In this case, there isn’t an RRSIG for algorithm 8 – only one for algorithm 10. So the auditor is simply pointing that out.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-develop