[Opendnssec-user] OpenDNSSEC and keys with different algorithms

Sebastian Castro sebastian at nzrs.net.nz
Wed Aug 18 02:35:29 UTC 2010


While auditing one of my test zones, the auditor complained vigorously
about

RRSIGS should include algorithm RSASHA256 for nzrs.net.nz, DNSKEY, have
: RSASHA1-NSEC3-SHA1
3: RRSIGS should include algorithm RSASHA1-NSEC3-SHA1 for nzrs.net.nz,
NS, have : RSASHA256

In a previous message sent to the mailing list (ref
http://lists.nominet.org.uk/pipermail/opendnssec-user/2010-March/000465.html)
someone noted the same issue that seems to be related to algorithm
rollover handling.

This case is not an algorithm rollover, it's a KSK using algorithm 7 and
the ZSK using algorithm 8. IMHO the signer is doing the right thing:
signing the DNSKEY RR Set with the KSK and the rest of the RRsets with
the ZSK, but the auditor complains probably based on Section 2.2 of RFC
4035 (hot topic these days).

Any thoughts? How's right: the signer or the auditor?

cheers,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535



More information about the Opendnssec-user mailing list