[Opendnssec-develop] SHA-2 keys mixed up

Alex Dalitz AlexD at nominet.org.uk
Tue May 4 07:29:13 UTC 2010

>> For each signed domain chosen for verification, the KA should check that:
>> € There is an RRSIG record for each algorithm for which there is a DNSKEY RR
>> (unless the domain is glue, an unsigned delegation or out of zone) [E]
>> ³
>> In this case, there isn¹t an RRSIG for algorithm 8 ­ only one for algorithm
>> 10. So the auditor is simply pointing that out.
> Yeah
> RFC4035 - Section 2.2
> "There MUST be an RRSIG for each RRset using at least one DNSKEY of each
> algorithm in the zone apex DNSKEY RRset."
> So you cannot use one algorithm for the KSK and another for the ZSK in

Sorry - slow start after a chicken-pox filled weekend...

Why can't you use two algorithms? Surely the rrsets should all be signed by
both algorithms, and everyone would be happy? Is it not an error in the
signing system to produce only one signature for these records?



More information about the Opendnssec-develop mailing list