[Opendnssec-develop] SHA-2 keys mixed up
Rickard Bellgrim
rickard.bellgrim at iis.se
Tue May 4 07:54:48 UTC 2010
On 4 maj 2010, at 09.29, Alex Dalitz wrote:
>>> For each signed domain chosen for verification, the KA should check that:
>>> € There is an RRSIG record for each algorithm for which there is a DNSKEY RR
>>> (unless the domain is glue, an unsigned delegation or out of zone) [E]
>>> ³
>>>
>>> In this case, there isn¹t an RRSIG for algorithm 8 only one for algorithm
>>> 10. So the auditor is simply pointing that out.
>>
>> Yeah
>>
>> RFC4035 - Section 2.2
>> "There MUST be an RRSIG for each RRset using at least one DNSKEY of each
>> algorithm in the zone apex DNSKEY RRset."
>>
>> So you cannot use one algorithm for the KSK and another for the ZSK in
>> OpenDNSSEC.
>
> Sorry - slow start after a chicken-pox filled weekend...
>
> Why can't you use two algorithms? Surely the rrsets should all be signed by
> both algorithms, and everyone would be happy? Is it not an error in the
> signing system to produce only one signature for these records?
You can, but not in OpenDNSSEC 1.1.0. OpenDNSSEC does not handle multiple algorithms correctly.
More information about the Opendnssec-develop
mailing list