[Opendnssec-develop] SHA-2 keys mixed up

Rickard Bellgrim rickard.bellgrim at iis.se
Tue May 4 07:54:48 UTC 2010

On 4 maj 2010, at 09.29, Alex Dalitz wrote:

>>> For each signed domain chosen for verification, the KA should check that:
>>> € There is an RRSIG record for each algorithm for which there is a DNSKEY RR
>>> (unless the domain is glue, an unsigned delegation or out of zone) [E]
>>> ³
>>> In this case, there isn¹t an RRSIG for algorithm 8  only one for algorithm
>>> 10. So the auditor is simply pointing that out.
>> Yeah
>> RFC4035 - Section 2.2
>> "There MUST be an RRSIG for each RRset using at least one DNSKEY of each
>> algorithm in the zone apex DNSKEY RRset."
>> So you cannot use one algorithm for the KSK and another for the ZSK in
>> OpenDNSSEC.
> Sorry - slow start after a chicken-pox filled weekend...
> Why can't you use two algorithms? Surely the rrsets should all be signed by
> both algorithms, and everyone would be happy? Is it not an error in the
> signing system to produce only one signature for these records?

You can, but not in OpenDNSSEC 1.1.0. OpenDNSSEC does not handle multiple algorithms correctly.

More information about the Opendnssec-develop mailing list