[dns-operations] ZSK algorithm different from DS/KSK algorithm?

Casey Deccio casey at deccio.net
Thu Nov 16 18:36:08 UTC 2017

> On Nov 14, 2017, at 9:23 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> Is it OK to have DS records for just algorithm 8, a KSK with algorithm 8,
> but a ZSK with algorithm 7?

What is curious about this is that two of the three NSEC3 records are signed with both algs 7 and 8, and one (the NSEC3 corresponding to the closest enclosure) is only signed by alg 7.  I wonder what led to the inconsistency.  While for most (all?) implementations it should be fine, but as Mark indicated, for a validator that only supports alg 8, that makes the NSEC3 record bogus, as well as the negative proof.



More information about the dns-operations mailing list