[Opendnssec-develop] SHA-2 keys mixed up

Matthijs Mekking matthijs at NLnetLabs.nl
Wed May 5 15:20:23 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Catching up on this thread...

I agree this is a bug.

I assume the signer engine is just following orders: The signer
configuration is presumably not marking the key with algorithm 8 as a
KSK (and the key with algorithm 10 as ZSK).

The question is, who should take care of this? Should the signer
discover this and not follow the signer configuration? Should the
enforcer discover this and mark both ZSK/KSK?

Or should we forbid this policy?

Or should we extend the KNOWN ISSUES about algorithm rollover with
'using multiple algorithms is broken'?

Best regards,

Matthijs


Roy Arends wrote:
> On May 4, 2010, at 8:29 AM, Alex Dalitz wrote:
> 
>>>> For each signed domain chosen for verification, the KA should check that:
>>>> € There is an RRSIG record for each algorithm for which there is a DNSKEY RR
>>>> (unless the domain is glue, an unsigned delegation or out of zone) [E]
>>>> ³
>>>>
>>>> In this case, there isn¹t an RRSIG for algorithm 8  only one for algorithm
>>>> 10. So the auditor is simply pointing that out.
>>> Yeah
>>>
>>> RFC4035 - Section 2.2
>>> "There MUST be an RRSIG for each RRset using at least one DNSKEY of each
>>> algorithm in the zone apex DNSKEY RRset."
>>>
>>> So you cannot use one algorithm for the KSK and another for the ZSK in
>>> OpenDNSSEC.
>> Sorry - slow start after a chicken-pox filled weekend...
>>
>> Why can't you use two algorithms? Surely the rrsets should all be signed by
>> both algorithms, and everyone would be happy?
> 
> Yep
> 
>> Is it not an error in the
>> signing system to produce only one signature for these records?
> 
> It is.
> 
> Roy_______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJL4Yy0AAoJEA8yVCPsQCW58ncH/3IpJxiLC2bpgNFmtyRziBxC
BngEVsN/irr8RvRxcSFmSdhKpwutR61BUtCTbVcVsX6zz4tC7Q4usEELXKH/29os
k5Iw4allGqIrYiXbT5h5J+k2y2dbO75oyKwKDISINVXj4FkIlk+2A9kulfm8jnqo
v4gyIiyV/g5vT+s1Njo7ph4h82o0D0fAL7cA9wwc86DXp2+Vj2qNAQqC4okfdmvO
dYOFDe2lckk0hcDWfPUHK3KQAj7cWCDQlVW7Nc56lKIkAHetvfWZAErnypBn/HxB
8OmTs9Lv7tbYg78bzBLbzDsjQnZugkiE/X3cwiBiesdr/LL5x1qoLj32e6dtzuo=
=yVCG
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list