[dns-operations] DNSSEC and multiple signatures
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue May 18 00:10:06 UTC 2021
On Tue, May 18, 2021 at 01:07:42AM +0200, Matthäus Wander via dns-operations wrote:
> > How does a validating resolver choose which signature to use. First
> > available? Stronger crypto? Both have to be valid through the chain?
> > Random?
>
> The resolver attempts validation of all signatures (for which it has
> algorithm support) until it finds one that validates correctly. One
> valid signature suffices.
That's likely typical, but there may resolvers out there that will
pick the strongest (in their estimation) supported algorithm, and
require that one to work.
Bottom line: make sure *all* your signatures are valid, if you sign
with multiple algorithms...
--
Viktor.
More information about the dns-operations
mailing list