On Tue, 2021-04-27 at 22:56 +0200, Arne Jensen wrote: > NB: The reason I'm writing 14 4, a.k.a. ECDSAP384SHA384 all along is that > I've seen DNSSEC signatures with 14 2 (ECDSAP384SHA256), which I would find > quite weird.
This appears to be a frequent source of confusion. In '14 4', '14' is the DNSSEC signing algorithm ECDSAP384SHA384 [1]. '4' is the DS digest algorithm SHA384 [2]. Then, '14 2', is still the DNSSEC signing algorithm ECDSAP384SHA384, and '2' is the DS digest algorithm SHA256. The DNSSEC signing algorithm is used to sign the zone's content. The DS digest algorithm is what the parent zone uses to digest (hash) the child's DNSKEY (and this digest is then signed by whatever DNSSEC signing algorithm the parent chose). So, '14 2' is not ECDSAP384SHA256, it's still ECDSAP384SHA384. [1] https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml [2] https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
