[Opendnssec-develop] SHA-2 keys mixed up

Rickard Bellgrim rickard.bellgrim at iis.se
Mon May 3 08:08:35 UTC 2010

> For each signed domain chosen for verification, the KA should check that: 
> 	• There is an RRSIG record for each algorithm for which there is a DNSKEY RR (unless the domain is glue, an unsigned delegation or out of zone) [E] 
> In this case, there isn’t an RRSIG for algorithm 8 – only one for algorithm 10. So the auditor is simply pointing that out.


RFC4035 - Section 2.2
"There MUST be an RRSIG for each RRset using at least one DNSKEY of each algorithm in the zone apex DNSKEY RRset."

So you cannot use one algorithm for the KSK and another for the ZSK in OpenDNSSEC.

// Rickard

More information about the Opendnssec-develop mailing list