BIND 9.7.0a1 and dnssec-signzone verification

Rob Austein sra at
Wed Jun 24 21:18:54 UTC 2009

At Wed, 24 Jun 2009 18:23:52 +0000, Evan Hunt wrote:
> On Wed, Jun 24, 2009 at 05:45:33PM +0200, Holger.Zuleger at wrote:
> > I have some issues with dnssec-signzone under BIND 9.7.0a1.
> > 
> > I'm using different algorithms for key- and zone signing keys.
> You can use multiple algorithms in a zone, but each algorithm must be
> represented as both KSK and ZSK.  If you have an RSASHA1 KSK, an RSAMD5
> KSK, an RSASHA1 ZSK and an RSAMD5 ZSK, you'll be fine.  But if all
> your KSKs are RSASHA1 and all your ZSK's are RSAMD5, that's actually
> a protocol violation.  dnssec-signzone should have been complaining
> all along; it was a bug that it didn't.

Evan's rule (that the KSK and ZSK algorithms should match) is
correct, but the reasons are a bit (more) complex.

The protocol requirement is that every signed RRset in a zone have an
RRSIG for each algorithm listed in the zone's DS RRset in the parent.
A simpler way of saying this is that every KSK algorithm in a zone
must also be a ZSK algorithm.  Note that this has nothing to do with
the SEP bit in the DNSKEY RRs, only to do with which keys sign which
RRsets (the protocol forbids the validator from using the SEP bit).

The validator allows ZSK algorithms which are not KSK algorithms, but
signing your zone that way leaves you vulnerable to the same algorithm
downgrade attack that resulted in the seemingly bizzare protocol
requirement noted above.  So don't do that.  Allowing ZSK algorithms
that aren't KSK algorithms is useful during certain transitions, but
you don't want verification to rely on mismatched algorithms.

More information about the bind-users mailing list