Mixing Algorithms for DNSSEC

Casey Deccio casey at deccio.net
Sat Oct 15 15:11:02 UTC 2011

On Sat, Oct 15, 2011 at 3:11 AM, Mark Elkins <mje at posix.co.za> wrote:

> Basically - create a KSK and ZSK with RSASHA1 - Sign - and visibly check
> the results.
> Add a new KSK using RSASHA256 - prep the zone and sign again.
> 1 - Signer is confused???? - can not sign (or generate a new Signed
> Zone)...
>        Verifying the zone using the following algorithms: RSASHA1.
>        Missing self signing KSK for algorithm RSASHA256
>        The zone is not fully signed for the following algorithms:
>        RSASHA256.
>        dnssec-signzone: fatal: DNSSEC completeness test failed.
When you include DNSKEYS with multiple algorithms, both the DNSKEY RRset and
other RRsets in the zone must be signed with each algorithm [1].  Because
you designed your RSASHA256 DNSKEY as a KSK, dnssec-signzone is only using
it to sign the DNSKEY RRset, not other RRsets.  To resolve this, create a
ZSK with algorithm RSASHA256 to your zone.


[1] See http://tools.ietf.org/html/rfc4035 - section 2.2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111015/c24a4c46/attachment.html>

More information about the bind-users mailing list