[dns-operations] DNSSEC and multiple signatures

Eric Germann ekgermann at gmail.com
Mon May 17 18:34:37 UTC 2021

I have a question regarding multiple signings.  I’ve seen some domains sign
with multiple algorithms (8 and 13 specifically).

How does a validating resolver choose which signature to use.  First
available?  Stronger crypto?  Both have to be valid through the chain?

Eric Germann
ekgermann(at)semperen(dot)com || ekgermann(at)gmail(dot)com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1
Telegram||Signal +1(dash)419(dash)513(dash)0712
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210517/335af88a/attachment.html>

More information about the dns-operations mailing list