Mixing Algorithms for DNSSEC
Casey Deccio
casey at deccio.net
Sat Oct 15 15:11:02 UTC 2011
On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins <mje at posix.co.za> wrote:
> Basically - create a KSK and ZSK with RSASHA1 - Sign - and visibly check
> the results.
> Add a new KSK using RSASHA256 - prep the zone and sign again.
> 1 - Signer is confused???? - can not sign (or generate a new Signed
> Zone)...
> Verifying the zone using the following algorithms: RSASHA1.
> Missing self signing KSK for algorithm RSASHA256
> The zone is not fully signed for the following algorithms:
> RSASHA256.
> dnssec-signzone: fatal: DNSSEC completeness test failed.
>
>
When you include DNSKEYS with multiple algorithms, both the DNSKEY RRset and
other RRsets in the zone must be signed with each algorithm [1]. Because
you designed your RSASHA256 DNSKEY as a KSK, dnssec-signzone is only using
it to sign the DNSKEY RRset, not other RRsets. To resolve this, create a
ZSK with algorithm RSASHA256 to your zone.
Regards,
Casey
[1] See http://tools.ietf.org/html/rfc4035 - section 2.2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111015/c24a4c46/attachment.html>
More information about the bind-users
mailing list