[dns-operations] ZSK algorithm different from DS/KSK algorithm?
Francis Dupont
Francis.Dupont at fdupont.fr
Wed Nov 15 04:49:34 UTC 2017
In your previous mail you wrote:
> Is it OK to have DS records for just algorithm 8, a KSK with algorithm 8,
> but a ZSK with algorithm 7? Unbound seems to tolerate this
=> Unbound is correct: it is allowed. BTW it can lead to unexpected
result because of RFC 4035 section 2.2 which mandates:
There MUST be an RRSIG for each RRset using at least one DNSKEY of
each algorithm in the zone apex DNSKEY RRset.
so in your example the zone will be signed using both algorithms 7 and 8
despite the key for algorithm 8 has the KSK flag.
Regards
Francis.Dupont at fdupont.fr
More information about the dns-operations
mailing list