BIND 9.7.0a1 and dnssec-signzone verification

Evan Hunt each at isc.org
Wed Jun 24 18:23:52 UTC 2009


On Wed, Jun 24, 2009 at 05:45:33PM +0200, Holger.Zuleger at arcor.net wrote:
> I have some issues with dnssec-signzone under BIND 9.7.0a1.
> 
> I'm using different algorithms for key- and zone signing keys.

That's a problem.

> Does it mean that it is no longer possible to use different key algorithms
> in one zone?

You can use multiple algorithms in a zone, but each algorithm must be
represented as both KSK and ZSK.  If you have an RSASHA1 KSK, an RSAMD5
KSK, an RSASHA1 ZSK and an RSAMD5 ZSK, you'll be fine.  But if all
your KSKs are RSASHA1 and all your ZSK's are RSAMD5, that's actually
a protocol violation.  dnssec-signzone should have been complaining
all along; it was a bug that it didn't.

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the bind-users mailing list