At Wed, 24 Jun 2009 18:23:52 +0000, Evan Hunt wrote: > > On Wed, Jun 24, 2009 at 05:45:33PM +0200, holger.zule...@arcor.net wrote: > > I have some issues with dnssec-signzone under BIND 9.7.0a1. > > > > I'm using different algorithms for key- and zone signing keys. > > You can use multiple algorithms in a zone, but each algorithm must be > represented as both KSK and ZSK. If you have an RSASHA1 KSK, an RSAMD5 > KSK, an RSASHA1 ZSK and an RSAMD5 ZSK, you'll be fine. But if all > your KSKs are RSASHA1 and all your ZSK's are RSAMD5, that's actually > a protocol violation. dnssec-signzone should have been complaining > all along; it was a bug that it didn't.
Evan's rule (that the KSK and ZSK algorithms should match) is correct, but the reasons are a bit (more) complex. The protocol requirement is that every signed RRset in a zone have an RRSIG for each algorithm listed in the zone's DS RRset in the parent. A simpler way of saying this is that every KSK algorithm in a zone must also be a ZSK algorithm. Note that this has nothing to do with the SEP bit in the DNSKEY RRs, only to do with which keys sign which RRsets (the protocol forbids the validator from using the SEP bit). The validator allows ZSK algorithms which are not KSK algorithms, but signing your zone that way leaves you vulnerable to the same algorithm downgrade attack that resulted in the seemingly bizzare protocol requirement noted above. So don't do that. Allowing ZSK algorithms that aren't KSK algorithms is useful during certain transitions, but you don't want verification to rely on mismatched algorithms. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
