[dns-operations] ZSK algorithm different from DS/KSK algorithm?
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Nov 15 04:23:18 UTC 2017
In reference to:
http://dnsviz.net/d/_25._tcp.diogenes.leeuwarden.nl/WgupAQ/dnssec/
$ dig +noall +ans +nosplit +nocl +nottl -t ds leeuwarden.nl.
leeuwarden.nl. DS 39529 8 2 C383F613E25AFD16DF63861932CF2BFCC70C0904E048C990022BC6B817D6B5E5
$ dig +noall +ans +multi +rrcomment +nocl +nottl -t dnskey leeuwarden.nl.
leeuwarden.nl. DNSKEY 256 3 7 (
AwEAAabMlzUvmnHDtqiwDTNqagy/z6D5KG2D7glyCiHZ
9d/y0M4/70ASkWD/V2bY+SEfAXRO1gqfoq+Jb8HOu2D0
7F91WoZ+n4OeqGR937W/lzSL441CtnGVxFrh3iruxUYK
qSEXW7KlkRoa5tnlrEueU6LUpDS4jU5eo3VT70vNn4lb
) ; ZSK; alg = NSEC3RSASHA1 ; key id = 20357
leeuwarden.nl. DNSKEY 257 3 8 (
AwEAAchUEsOBPcX/t/vyjrBv1n60V6zU/35BLAt45bzD
XTwlgh4mBTmRQ/RR6OCE1eIBcFNxRwWgfguYK3aR15i/
3FMyKbyf4GCc2CSdos2ex7W4f3SS6x3iODXBVfBgONul
ffP8woLM85yuGESIu8Wbi9okVZkR4Bhob0dUEfyVvsAh
o0k10RP5bDdWmKJjecfYvtKbMRNKAB2KfbNQGxwePjKz
Mx1ezfGmKT6toBBYI5ChPja1/rECQOq47MhrE5aFGIzL
0eeLu9n2wvuzGrVva7TL89kPiyZyzU7sqQk+3E0s5wlc
yVXW/KZlkP/O088KDJOhHzTZZgCjfrml+kFEKQM=
) ; KSK; alg = RSASHA256 ; key id = 39529
Is it OK to have DS records for just algorithm 8, a KSK with algorithm 8,
but a ZSK with algorithm 7? Unbound seems to tolerate this, though I
did earlier today see ServFail for _25._tcp.diogenes.leeuwarden.nl, that
I no longer see, so perhaps not related to the ZSK algorithm oddity...
--
Viktor.
More information about the dns-operations
mailing list