[Opendnssec-user] Question about kasp.xml - Algorithm
Berry van Halderen
berry at nlnetlabs.nl
Mon Feb 6 10:47:11 UTC 2023
On 2023-02-03 21:31, Edward Lewis via Opendnssec-user wrote:
> In setting up a trial of opendnssec, I see " <Algorithm
> length="2048">8</Algorithm> " in kasp.xml to set up a 2K RSA-SHA-256
> key. I want to change to Ed25519 ("15" according to the IANA registry
> for those things), which I can do by changing the "8" above to "15".
>
> My question- must I specify the length? I've tried looking for
> documentation about the kasp.xml syntax, but cannot find anything
> since 2014, cannot find any examples that use any non-RSA-based
> algorithm. That document said that OpenDNSSEC could not do a
> algorithm roll over, but using OpenDNSSEC 2.something, I got it to
> work, so I suspect that documentation is way out of date.
Dear Edward and list,
First, the documentation is re-setup because it really needs to be
revamped indeed. OpenDNSSEC now indeed supports algorithm rollover
fully and the non_RSA algorithms, it is mentioned on the web-site
and on the wiki, but not clearly at all.
Then for your question. The specification for the KASP requires
you to give a size for the number of bits, just because of
syntax checking of the KASP files. This might be considered a
bit of a relic, but on the other hand many algorithms need it.
That's why a length needs to be set, and a length must be larger
than 0. But for ECDSA and Edward curves this value isn't used.
> I managed to get a configuration to work for Ed25519, but not if I
> omit the length nor if I set the length to 0.
>
> For general information - is there a more-recent-than-2014 document
> for kasp.xml? Is there a detailed spec for the "Algorithm" XML "key
> word"?
As said, the documentation is being updated, I'll give a post once there
is enough info there. The Validity also now allows you to specify a
separate duration for the keyset and there is an option for non-signed
zones.
With kind regards,
Berry van Halderen
More information about the Opendnssec-user
mailing list