[dns-operations] ZSK algorithm different from DS/KSK algorithm?
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Nov 15 05:12:17 UTC 2017
> On Nov 14, 2017, at 11:41 PM, Mark Andrews <marka at isc.org> wrote:
>
> Yes. There must be a DNSKEY records for every algorithm in the DS.
> There is no reverse requirement. The zone doesn’t even have to be
> fully signed with algorithm 7. It must be fully signed with algorithm 8.
> The SEP bit is only advisory.
Thanks, so I think that the problem here is that at least some
of the nameservers return only the ZSK (alg 7) RRSIG for some
records:
$ dig +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl \
+nottl +nosplit +norecur -t tlsa _25._tcp.diogenes.leeuwarden.nl \
@213.136.12.51
... condensed for clarity ...
;; AUTHORITY SECTION:
leeuwarden.nl. SOA a-p-ddi-0003.leeuwarden.nl. ...
leeuwarden.nl. RRSIG SOA 8 2 ...
leeuwarden.nl. RRSIG SOA 7 2 ...
34l83kdikrttor5v48r03n9nmstp7ol9.leeuwarden.nl. NSEC3 1 0 10 ...
34l83kdikrttor5v48r03n9nmstp7ol9.leeuwarden.nl. RRSIG NSEC3 7 3 ...
encnakfk04ucddr2sjk31icqc2itvq87.leeuwarden.nl. NSEC3 1 0 10 ...
encnakfk04ucddr2sjk31icqc2itvq87.leeuwarden.nl. RRSIG NSEC3 8 3 ...
encnakfk04ucddr2sjk31icqc2itvq87.leeuwarden.nl. RRSIG NSEC3 7 3 ...
ki17q2rfqp6dblhont38803tshr4b7h0.leeuwarden.nl. NSEC3 1 0 10 ...
ki17q2rfqp6dblhont38803tshr4b7h0.leeuwarden.nl. RRSIG NSEC3 8 3 ...
ki17q2rfqp6dblhont38803tshr4b7h0.leeuwarden.nl. RRSIG NSEC3 7 3 ...
Above one of the 3 NSEC3 records (34l83kdikrttor5v48r03n9nmstp7ol9)
has only an algorithm 7 signature, but it must be signed with
algorithm 8 if I understand your comment correctly.
--
--
Viktor.
More information about the dns-operations
mailing list