The rules for what get signed by what are per algorithm. Additionally the SEP bit is hint to the signer as to what is desired. Named has controls to say whether to pay attention to the SEP bit or not. Additionally it will override those controls to pay attention to the SEP but if it believes that the zone won’t be correctly signed if it paid attention to the SEP bit.
People have created zones where one algorithm has keys with and without the SEP bit for one algorithm but for a second algorithm there are only keys with (without) the SEP bit. If the signer has been told to honour the SEP bit then for the first algorithm it will be honoured and for the second algorithm the instruction will be overridden. See dnssec-dnskey-kskonly, update-check-ksk and the keys sub-clause of dnssec-policy. > On 31 Aug 2021, at 13:54, Chris Buxton <[email protected]> wrote: > > I honestly don’t remember the reasoning, only the outcome. Maybe Mark or > someone else from ISC can shed some light? I couldn’t find the answer to this > regular (but infrequent) question in the ISC KB. > > Regards, > Chris Buxton > >> On Aug 30, 2021, at 3:40 PM, raf via bind-users <[email protected]> >> wrote: >> >> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton >> <[email protected]> wrote: >> >>> What algorithm(s) are you using for ZSK and KSK? If they’re not the >>> same algorithm, then both will be used to sign the entire zone. >>> >>> Regards, >>> Chris Buxton >> >> Just out of curiosity, why is that? >> Isn't having the KSK sign the ZSK enough? >> What difference does the nature of the thing >> being signed make? >> >> cheers, >> raf >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> [email protected] >> https://lists.isc.org/mailman/listinfo/bind-users > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
