[dns-operations] ZSK algorithm different from DS/KSK algorithm?
Casey Deccio
casey at deccio.net
Thu Nov 16 18:36:08 UTC 2017
> On Nov 14, 2017, at 9:23 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> Is it OK to have DS records for just algorithm 8, a KSK with algorithm 8,
> but a ZSK with algorithm 7?
What is curious about this is that two of the three NSEC3 records are signed with both algs 7 and 8, and one (the NSEC3 corresponding to the closest enclosure) is only signed by alg 7. I wonder what led to the inconsistency. While for most (all?) implementations it should be fine, but as Mark indicated, for a validator that only supports alg 8, that makes the NSEC3 record bogus, as well as the negative proof.
http://dnsviz.net/d/_25._tcp.diogenes.leeuwarden.nl/WgupAQ/dnssec/?rr=all&a=8&ds=all&ta=.&tk=
Casey
More information about the dns-operations
mailing list