raf via bind-users <[email protected]> wrote: > On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton > <[email protected]> wrote: > > > What algorithm(s) are you using for ZSK and KSK? If they’re not the > > same algorithm, then both will be used to sign the entire zone. > > Just out of curiosity, why is that? > Isn't having the KSK sign the ZSK enough?
As well as what Mark said, the reason signing is per-algorithm is to do with downgrade protection: if there's a situation where validators support different algorithms (e.g. some have deprecated a bad algorithm but some have not yet deployed its replacement) then a signer can support all the validators by signing with both algorithms, without causing problems for the newer validators that want to distrust the old algorithm. A validator can decide whether a zone is secure or not based purely on the algorithms listed in its DS RRset. Tony. -- f.anthony.n.finch <[email protected]> https://dotat.at/ Northwest Bailey: Southwesterly 3 to 5. Slight. Showers. Good.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
