Hi Full Name,
indeed, this is not possible. The ECC and EDD algorithm families always
stick to one key size for any algorithm. You can't have your KSK and ZSK
with different algorithms.
On the other hand, this is no big deal. Those algorithms are considered
safe enough even with small keys, so you can choose just e.g. ECDSA256
and profit from having small signatures. You can also think of using
single-type signing scheme.
BR,
Libor
Dne 28.11.18 v 22:58 Full Name napsal(a):
A policy section in knot.conf would contain (among other things) an algorithm
specification and (optionally) the KSK and ZSK keys sizes. This works fine for
RSA. Now imagine that I want to establish a policy with ECC keys for both KSKs
and ZSKs. However, I might want for the KSKs to be 384-bit keys, and for the
ZSKs to be 256-bit keys. Can a policy be created in Knot to do so? It would
seem that, given that the algorithm specification for NIST elliptic curves
includes both the curve and digest data, the key size specifications do not
apply here - i.e. both KSKs and ZSKs will necessarily use the same curve, and
therefore the same key size. Is this correct?
--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
