KSK signing zone records

Tony Finch dot at dotat.at
Wed Sep 1 14:04:56 UTC 2021


raf via bind-users <bind-users at lists.isc.org> wrote:
> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton <clists at buxtonfamily.us> wrote:
>
> > What algorithm(s) are you using for ZSK and KSK? If they’re not the
> > same algorithm, then both will be used to sign the entire zone.
>
> Just out of curiosity, why is that?
> Isn't having the KSK sign the ZSK enough?

As well as what Mark said, the reason signing is per-algorithm is to do
with downgrade protection: if there's a situation where validators support
different algorithms (e.g. some have deprecated a bad algorithm but some
have not yet deployed its replacement) then a signer can support all the
validators by signing with both algorithms, without causing problems for
the newer validators that want to distrust the old algorithm. A validator
can decide whether a zone is secure or not based purely on the algorithms
listed in its DS RRset.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Northwest Bailey: Southwesterly 3 to 5. Slight. Showers. Good.


More information about the bind-users mailing list