While auditing one of my test zones, the auditor complained vigorously about
RRSIGS should include algorithm RSASHA256 for nzrs.net.nz, DNSKEY, have : RSASHA1-NSEC3-SHA1 3: RRSIGS should include algorithm RSASHA1-NSEC3-SHA1 for nzrs.net.nz, NS, have : RSASHA256 In a previous message sent to the mailing list (ref http://lists.nominet.org.uk/pipermail/opendnssec-user/2010-March/000465.html) someone noted the same issue that seems to be related to algorithm rollover handling. This case is not an algorithm rollover, it's a KSK using algorithm 7 and the ZSK using algorithm 8. IMHO the signer is doing the right thing: signing the DNSKEY RR Set with the KSK and the rest of the RRsets with the ZSK, but the auditor complains probably based on Section 2.2 of RFC 4035 (hot topic these days). Any thoughts? How's right: the signer or the auditor? cheers, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
