[Opendnssec-develop] SHA-2 keys mixed up

Roy Arends roy at nominet.org.uk
Tue May 4 09:35:45 UTC 2010


On May 4, 2010, at 8:29 AM, Alex Dalitz wrote:

>>> For each signed domain chosen for verification, the KA should check that:
>>> € There is an RRSIG record for each algorithm for which there is a DNSKEY RR
>>> (unless the domain is glue, an unsigned delegation or out of zone) [E]
>>> ³
>>> 
>>> In this case, there isn¹t an RRSIG for algorithm 8  only one for algorithm
>>> 10. So the auditor is simply pointing that out.
>> 
>> Yeah
>> 
>> RFC4035 - Section 2.2
>> "There MUST be an RRSIG for each RRset using at least one DNSKEY of each
>> algorithm in the zone apex DNSKEY RRset."
>> 
>> So you cannot use one algorithm for the KSK and another for the ZSK in
>> OpenDNSSEC.
> 
> Sorry - slow start after a chicken-pox filled weekend...
> 
> Why can't you use two algorithms? Surely the rrsets should all be signed by
> both algorithms, and everyone would be happy?

Yep

> Is it not an error in the
> signing system to produce only one signature for these records?

It is.

Roy


More information about the Opendnssec-develop mailing list