[Opendnssec-user] OpenDNSSEC and keys with different algorithms
Rickard Bellgrim
rickard.bellgrim at iis.se
Wed Aug 18 05:35:32 UTC 2010
The Auditor is right. All RRsets must be signed by all of the DNSKEY algorithms.
So you should not use different algorithms for the KSK and the ZSK. And in the long run, we should handle multiple algorithms better.
// Rickard
18 aug 2010 kl. 04:36 skrev Sebastian Castro <sebastian at nzrs.net.nz>:
>
> While auditing one of my test zones, the auditor complained vigorously
> about
>
> RRSIGS should include algorithm RSASHA256 for nzrs.net.nz, DNSKEY, have
> : RSASHA1-NSEC3-SHA1
> 3: RRSIGS should include algorithm RSASHA1-NSEC3-SHA1 for nzrs.net.nz,
> NS, have : RSASHA256
>
> In a previous message sent to the mailing list (ref
> http://lists.nominet.org.uk/pipermail/opendnssec-user/2010-March/000465.html)
> someone noted the same issue that seems to be related to algorithm
> rollover handling.
>
> This case is not an algorithm rollover, it's a KSK using algorithm 7 and
> the ZSK using algorithm 8. IMHO the signer is doing the right thing:
> signing the DNSKEY RR Set with the KSK and the rest of the RRsets with
> the ZSK, but the auditor complains probably based on Section 2.2 of RFC
> 4035 (hot topic these days).
>
> Any thoughts? How's right: the signer or the auditor?
>
> cheers,
> --
> Sebastian Castro
> DNS Specialist
> .nz Registry Services (New Zealand Domain Name Registry Limited)
> desk: +64 4 495 2337
> mobile: +64 21 400535
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list