On Wed, Sep 01, 2021 at 03:04:56PM +0100, Tony Finch <[email protected]> wrote:
> raf via bind-users <[email protected]> wrote: > > On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton > > <[email protected]> wrote: > > > > > What algorithm(s) are you using for ZSK and KSK? If they’re not the > > > same algorithm, then both will be used to sign the entire zone. > > > > Just out of curiosity, why is that? > > Isn't having the KSK sign the ZSK enough? > > As well as what Mark said, the reason signing is per-algorithm is to do > with downgrade protection: if there's a situation where validators support > different algorithms (e.g. some have deprecated a bad algorithm but some > have not yet deployed its replacement) then a signer can support all the > validators by signing with both algorithms, without causing problems for > the newer validators that want to distrust the old algorithm. A validator > can decide whether a zone is secure or not based purely on the algorithms > listed in its DS RRset. > > Tony. > -- > f.anthony.n.finch <[email protected]> https://dotat.at/ > Northwest Bailey: Southwesterly 3 to 5. Slight. Showers. Good. Thanks. cheers, raf _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
