On Aug 18, 2010, at 7:35 AM, Rickard Bellgrim wrote: > The Auditor is right. All RRsets must be signed by all of the DNSKEY > algorithms. > > So you should not use different algorithms for the KSK and the ZSK. And in > the long run, we should handle multiple algorithms better.
Yes, there must be a signature by at least one key of each algorithm in the DNSKEY RRSet over each RRSet. So if you have both algs 7 and 8 in the keyset, you should have sigs by both 7 and 8 over all RRSets. Roy > > // Rickard > > 18 aug 2010 kl. 04:36 skrev Sebastian Castro <[email protected]>: > >> >> While auditing one of my test zones, the auditor complained vigorously >> about >> >> RRSIGS should include algorithm RSASHA256 for nzrs.net.nz, DNSKEY, have >> : RSASHA1-NSEC3-SHA1 >> 3: RRSIGS should include algorithm RSASHA1-NSEC3-SHA1 for nzrs.net.nz, >> NS, have : RSASHA256 >> >> In a previous message sent to the mailing list (ref >> http://lists.nominet.org.uk/pipermail/opendnssec-user/2010-March/000465.html) >> someone noted the same issue that seems to be related to algorithm >> rollover handling. >> >> This case is not an algorithm rollover, it's a KSK using algorithm 7 and >> the ZSK using algorithm 8. IMHO the signer is doing the right thing: >> signing the DNSKEY RR Set with the KSK and the rest of the RRsets with >> the ZSK, but the auditor complains probably based on Section 2.2 of RFC >> 4035 (hot topic these days). >> >> Any thoughts? How's right: the signer or the auditor? >> >> cheers, >> -- >> Sebastian Castro >> DNS Specialist >> .nz Registry Services (New Zealand Domain Name Registry Limited) >> desk: +64 4 495 2337 >> mobile: +64 21 400535 >> _______________________________________________ >> Opendnssec-user mailing list >> [email protected] >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
