[Opendnssec-user] Question about kasp.xml - Algorithm
Edward Lewis
edward.lewis at icann.org
Fri Feb 3 20:31:21 UTC 2023
....Hello...just got access to this list...despite a long history with DNSSEC, I had never tried OpenDNSSEC until last month...
In setting up a trial of opendnssec, I see " <Algorithm length="2048">8</Algorithm> " in kasp.xml to set up a 2K RSA-SHA-256 key. I want to change to Ed25519 ("15" according to the IANA registry for those things), which I can do by changing the "8" above to "15".
My question- must I specify the length? I've tried looking for documentation about the kasp.xml syntax, but cannot find anything since 2014, cannot find any examples that use any non-RSA-based algorithm. That document said that OpenDNSSEC could not do a algorithm roll over, but using OpenDNSSEC 2.something, I got it to work, so I suspect that documentation is way out of date.
I managed to get a configuration to work for Ed25519, but not if I omit the length nor if I set the length to 0.
I have the length set to "256" now, but it took a bit of web searching to find that that ought to be the correct value, as the IETF document defining the Ed25519 DNS Security Algorithm doesn't bother to mention the length! If I recall, even when the length value was 2048 (because that was what the file had initially), Ed25519 worked. (It seems that the parser doesn't like "no value" or "0" for length, but anything else is ignored, maybe?)
For general information - is there a more-recent-than-2014 document for kasp.xml? Is there a detailed spec for the "Algorithm" XML "key word"?
More information about the Opendnssec-user
mailing list