[dns-operations] TLD .law - non-signing KSK with referenced DS
Einar Bjarni Halldórsson
einar at isnic.is
Wed Jan 19 08:20:03 UTC 2022
On 14.1.2022 10:30, Viktor Dukhovni wrote:
> On Fri, Jan 14, 2022 at 10:09:04AM +0000, Matthew Richardson wrote:
>
>> Looking visually at the DNSViz output, the KSK 16819 does look strange as
>> it is referenced by a DS but does not sign anything.
>>
>> Out of interest, do folks think this is a valid configuration?
> Looks valid to me, because another KSK for the same algorithm and
> choice of hash does sign the DNSKEY RRset:
I thought it was just the same algorithm, not necessarily the same hash
type?
We're finishing up a test migration of a signed zone, doing a key
rollover, and the old DS record is algorithm 8, digest type 2. The new
key has two DS records, both algorithm 8, one digest type 2, one type 4.
We saw the error in zonemaster, but DNSviz and probes in RIPE Atlas
never flagged an error.
.einar
More information about the dns-operations
mailing list