[dns-operations] DNSSEC and multiple signatures

[Matthäus Wander]

Eric Germann wrote on 2021-05-17 20:34:
> I have a question regarding multiple signings.  I’ve seen some domains
> sign with multiple algorithms (8 and 13 specifically).
> 
> How does a validating resolver choose which signature to use.  First
> available?  Stronger crypto?  Both have to be valid through the chain? 
> Random?

The resolver attempts validation of all signatures (for which it has
algorithm support) until it finds one that validates correctly. One
valid signature suffices.

Regards,
Matt