On 14.1.2022 10:30, Viktor Dukhovni wrote:
On Fri, Jan 14, 2022 at 10:09:04AM +0000, Matthew Richardson wrote:
Looking visually at the DNSViz output, the KSK 16819 does look strange as
it is referenced by a DS but does not sign anything.
Out of interest, do folks think this is a valid configuration?
Looks valid to me, because another KSK for the same algorithm and
choice of hash does sign the DNSKEY RRset:
I thought it was just the same algorithm, not necessarily the same hash
type?
We're finishing up a test migration of a signed zone, doing a key
rollover, and the old DS record is algorithm 8, digest type 2. The new
key has two DS records, both algorithm 8, one digest type 2, one type 4.
We saw the error in zonemaster, but DNSviz and probes in RIPE Atlas
never flagged an error.
.einar
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
