KSK signing zone records

raf bind at raf.org
Wed Sep 1 23:30:56 UTC 2021


On Wed, Sep 01, 2021 at 03:04:56PM +0100, Tony Finch <dot at dotat.at> wrote:

> raf via bind-users <bind-users at lists.isc.org> wrote:
> > On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton <clists at buxtonfamily.us> wrote:
> >
> > > What algorithm(s) are you using for ZSK and KSK? If they’re not the
> > > same algorithm, then both will be used to sign the entire zone.
> >
> > Just out of curiosity, why is that?
> > Isn't having the KSK sign the ZSK enough?
> 
> As well as what Mark said, the reason signing is per-algorithm is to do
> with downgrade protection: if there's a situation where validators support
> different algorithms (e.g. some have deprecated a bad algorithm but some
> have not yet deployed its replacement) then a signer can support all the
> validators by signing with both algorithms, without causing problems for
> the newer validators that want to distrust the old algorithm. A validator
> can decide whether a zone is secure or not based purely on the algorithms
> listed in its DS RRset.
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
> Northwest Bailey: Southwesterly 3 to 5. Slight. Showers. Good.

Thanks.

cheers,
raf



More information about the bind-users mailing list