[Opendnssec-develop] SHA-2 keys mixed up
roy at nominet.org.uk
Tue May 4 09:35:45 UTC 2010
On May 4, 2010, at 8:29 AM, Alex Dalitz wrote:
>>> For each signed domain chosen for verification, the KA should check that:
>>> € There is an RRSIG record for each algorithm for which there is a DNSKEY RR
>>> (unless the domain is glue, an unsigned delegation or out of zone) [E]
>>> In this case, there isn¹t an RRSIG for algorithm 8 only one for algorithm
>>> 10. So the auditor is simply pointing that out.
>> RFC4035 - Section 2.2
>> "There MUST be an RRSIG for each RRset using at least one DNSKEY of each
>> algorithm in the zone apex DNSKEY RRset."
>> So you cannot use one algorithm for the KSK and another for the ZSK in
> Sorry - slow start after a chicken-pox filled weekend...
> Why can't you use two algorithms? Surely the rrsets should all be signed by
> both algorithms, and everyone would be happy?
> Is it not an error in the
> signing system to produce only one signature for these records?
More information about the Opendnssec-develop