[dns-operations] DNSSEC and multiple signatures

Viktor Dukhovni ietf-dane at dukhovni.org
Tue May 18 00:10:06 UTC 2021

On Tue, May 18, 2021 at 01:07:42AM +0200, Matthäus Wander via dns-operations wrote:

> > How does a validating resolver choose which signature to use.  First
> > available?  Stronger crypto?  Both have to be valid through the chain? 
> > Random?
> The resolver attempts validation of all signatures (for which it has
> algorithm support) until it finds one that validates correctly. One
> valid signature suffices.

That's likely typical, but there may resolvers out there that will
pick the strongest (in their estimation) supported algorithm, and
require that one to work.

Bottom line: make sure *all* your signatures are valid, if you sign
with multiple algorithms...


More information about the dns-operations mailing list