[Opendnssec-user] OpenDNSSEC and keys with different algorithms

Roy Arends roy at nominet.org.uk
Wed Aug 18 08:34:06 UTC 2010


On Aug 18, 2010, at 7:35 AM, Rickard Bellgrim wrote:

> The Auditor is right. All RRsets must be signed by all of the DNSKEY algorithms.
> 
> So you should not use different algorithms for the KSK and the ZSK. And in the long run, we should handle multiple algorithms better.

Yes, there must be a signature by at least one key of each algorithm in the DNSKEY RRSet over each RRSet. So if you have both algs 7 and 8 in the keyset, you should have sigs by both 7 and 8 over all RRSets.

Roy



> 
> // Rickard
> 
> 18 aug 2010 kl. 04:36 skrev Sebastian Castro <sebastian at nzrs.net.nz>:
> 
>> 
>> While auditing one of my test zones, the auditor complained vigorously
>> about
>> 
>> RRSIGS should include algorithm RSASHA256 for nzrs.net.nz, DNSKEY, have
>> : RSASHA1-NSEC3-SHA1
>> 3: RRSIGS should include algorithm RSASHA1-NSEC3-SHA1 for nzrs.net.nz,
>> NS, have : RSASHA256
>> 
>> In a previous message sent to the mailing list (ref
>> http://lists.nominet.org.uk/pipermail/opendnssec-user/2010-March/000465.html)
>> someone noted the same issue that seems to be related to algorithm
>> rollover handling.
>> 
>> This case is not an algorithm rollover, it's a KSK using algorithm 7 and
>> the ZSK using algorithm 8. IMHO the signer is doing the right thing:
>> signing the DNSKEY RR Set with the KSK and the rest of the RRsets with
>> the ZSK, but the auditor complains probably based on Section 2.2 of RFC
>> 4035 (hot topic these days).
>> 
>> Any thoughts? How's right: the signer or the auditor?
>> 
>> cheers,
>> -- 
>> Sebastian Castro
>> DNS Specialist
>> .nz Registry Services (New Zealand Domain Name Registry Limited)
>> desk: +64 4 495 2337
>> mobile: +64 21 400535
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user




More information about the Opendnssec-user mailing list