[dns-operations] DNSSEC and multiple signatures
mail at wander.science
Mon May 17 23:07:42 UTC 2021
Eric Germann wrote on 2021-05-17 20:34:
> I have a question regarding multiple signings. I’ve seen some domains
> sign with multiple algorithms (8 and 13 specifically).
> How does a validating resolver choose which signature to use. First
> available? Stronger crypto? Both have to be valid through the chain?
The resolver attempts validation of all signatures (for which it has
algorithm support) until it finds one that validates correctly. One
valid signature suffices.
More information about the dns-operations