[Opendnssec-user] Question about kasp.xml - Algorithm

[Berry van Halderen]

On 2023-02-03 21:31, Edward Lewis via Opendnssec-user wrote:

> In setting up a trial of opendnssec, I see " <Algorithm
> length="2048">8</Algorithm> " in kasp.xml to set up a 2K RSA-SHA-256
> key.  I want to change to Ed25519 ("15" according to the IANA registry
> for those things), which I can do by changing the "8" above to "15".
> 
> My question- must I specify the length?  I've tried looking for
> documentation about the kasp.xml syntax, but cannot find anything
> since 2014, cannot find any examples that use any non-RSA-based
> algorithm.  That document said that OpenDNSSEC could not do a
> algorithm roll over, but using OpenDNSSEC 2.something, I got it to
> work, so I suspect that documentation is way out of date.

Dear Edward and list,

First, the documentation is re-setup because it really needs to be
revamped indeed.  OpenDNSSEC now indeed supports algorithm rollover
fully and the non_RSA algorithms, it is mentioned on the web-site
and on the wiki, but not clearly at all.

Then for your question.  The specification for the KASP requires
you to give a size for the number of bits, just because of
syntax checking of the KASP files.  This might be considered a
bit of a relic, but on the other hand many algorithms need it.
That's why a length needs to be set, and a length must be larger
than 0.  But for ECDSA and Edward curves this value isn't used.

> I managed to get a configuration to work for Ed25519, but not if I
> omit the length nor if I set the length to 0.
> 
> For general information - is there a more-recent-than-2014 document
> for kasp.xml?  Is there a detailed spec for the "Algorithm" XML "key
> word"?

As said, the documentation is being updated, I'll give a post once there
is enough info there.  The Validity also now allows you to specify a
separate duration for the keyset and there is an option for non-signed
zones.

With kind regards,
Berry van Halderen