[dns-operations] ZSK algorithm different from DS/KSK algorithm?

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Nov 15 05:12:17 UTC 2017



> On Nov 14, 2017, at 11:41 PM, Mark Andrews <marka at isc.org> wrote:
> 
> Yes.  There must be a DNSKEY records for every algorithm in the DS.
> There is no reverse requirement.  The zone doesn’t even have to be
> fully signed with algorithm 7.  It must be fully signed with algorithm 8.
> The SEP bit is only advisory.

Thanks, so I think that the problem here is that at least some
of the nameservers return only the ZSK (alg 7) RRSIG for some
records:

$ dig +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl \
  +nottl +nosplit +norecur -t tlsa _25._tcp.diogenes.leeuwarden.nl \
  @213.136.12.51

... condensed for clarity ...

;; AUTHORITY SECTION:
leeuwarden.nl.          SOA     a-p-ddi-0003.leeuwarden.nl. ...
leeuwarden.nl.          RRSIG   SOA 8 2 ...
leeuwarden.nl.          RRSIG   SOA 7 2 ...
34l83kdikrttor5v48r03n9nmstp7ol9.leeuwarden.nl. NSEC3 1 0 10 ...
34l83kdikrttor5v48r03n9nmstp7ol9.leeuwarden.nl. RRSIG NSEC3 7 3 ...
encnakfk04ucddr2sjk31icqc2itvq87.leeuwarden.nl. NSEC3 1 0 10 ...
encnakfk04ucddr2sjk31icqc2itvq87.leeuwarden.nl. RRSIG NSEC3 8 3 ...
encnakfk04ucddr2sjk31icqc2itvq87.leeuwarden.nl. RRSIG NSEC3 7 3 ...
ki17q2rfqp6dblhont38803tshr4b7h0.leeuwarden.nl. NSEC3 1 0 10 ...
ki17q2rfqp6dblhont38803tshr4b7h0.leeuwarden.nl. RRSIG NSEC3 8 3 ...
ki17q2rfqp6dblhont38803tshr4b7h0.leeuwarden.nl. RRSIG NSEC3 7 3 ...

Above one of the 3 NSEC3 records (34l83kdikrttor5v48r03n9nmstp7ol9)
has only an algorithm 7 signature, but it must be signed with
algorithm 8 if I understand your comment correctly.

-- 
-- 
	Viktor.





More information about the dns-operations mailing list