[dns-operations] ZSK algorithm different from DS/KSK algorithm?

Mark Andrews marka at isc.org
Wed Nov 15 04:41:22 UTC 2017 

On 15 Nov 2017, at 3:23 pm, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> 
> In reference to:
> 
>    http://dnsviz.net/d/_25._tcp.diogenes.leeuwarden.nl/WgupAQ/dnssec/
> 
>    $ dig +noall +ans +nosplit +nocl +nottl -t ds leeuwarden.nl.
>    leeuwarden.nl.          DS      39529 8 2 C383F613E25AFD16DF63861932CF2BFCC70C0904E048C990022BC6B817D6B5E5
> 
>    $ dig +noall +ans +multi +rrcomment +nocl +nottl -t dnskey leeuwarden.nl.
>    leeuwarden.nl.              DNSKEY  256 3 7 (
>                                AwEAAabMlzUvmnHDtqiwDTNqagy/z6D5KG2D7glyCiHZ
>                                9d/y0M4/70ASkWD/V2bY+SEfAXRO1gqfoq+Jb8HOu2D0
>                                7F91WoZ+n4OeqGR937W/lzSL441CtnGVxFrh3iruxUYK
>                                qSEXW7KlkRoa5tnlrEueU6LUpDS4jU5eo3VT70vNn4lb
>                                ) ; ZSK; alg = NSEC3RSASHA1 ; key id = 20357
>    leeuwarden.nl.              DNSKEY  257 3 8 (
>                                AwEAAchUEsOBPcX/t/vyjrBv1n60V6zU/35BLAt45bzD
>                                XTwlgh4mBTmRQ/RR6OCE1eIBcFNxRwWgfguYK3aR15i/
>                                3FMyKbyf4GCc2CSdos2ex7W4f3SS6x3iODXBVfBgONul
>                                ffP8woLM85yuGESIu8Wbi9okVZkR4Bhob0dUEfyVvsAh
>                                o0k10RP5bDdWmKJjecfYvtKbMRNKAB2KfbNQGxwePjKz
>                                Mx1ezfGmKT6toBBYI5ChPja1/rECQOq47MhrE5aFGIzL
>                                0eeLu9n2wvuzGrVva7TL89kPiyZyzU7sqQk+3E0s5wlc
>                                yVXW/KZlkP/O088KDJOhHzTZZgCjfrml+kFEKQM=
>                                ) ; KSK; alg = RSASHA256 ; key id = 39529
> 
> 
> Is it OK to have DS records for just algorithm 8, a KSK with algorithm 8,
> but a ZSK with algorithm 7?  Unbound seems to tolerate this, though I
> did earlier today see ServFail for _25._tcp.diogenes.leeuwarden.nl, that
> I no longer see, so perhaps not related to the ZSK algorithm oddity…

Yes.  There must be a DNSKEY records for every algorithm in the DS.
There is no reverse requirement.  The zone doesn’t even have to be
fully signed with algorithm 7.  It must be fully signed with algorithm 8.
The SEP bit is only advisory.

Mark

> -- 
> 	Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list