[dns-operations] DNSSEC and multiple signatures

Matthäus Wander mail at wander.science
Mon May 17 23:07:42 UTC 2021

Eric Germann wrote on 2021-05-17 20:34:
> I have a question regarding multiple signings.  I’ve seen some domains
> sign with multiple algorithms (8 and 13 specifically).
> How does a validating resolver choose which signature to use.  First
> available?  Stronger crypto?  Both have to be valid through the chain? 
> Random?

The resolver attempts validation of all signatures (for which it has
algorithm support) until it finds one that validates correctly. One
valid signature suffices.


More information about the dns-operations mailing list