I am in the process of setting up DNSSEC for my domains. Initially I was going to go with algorithm 13 (ECDSA-P256-SHA256), but it seems that dyn.com doesn't allow me to add a DS record with an algorithm value of 13. (Would love some insight as to why they prevent this)
I figured, hey, no matter, there are two keys, right? I could have the KSK be algorithm 8 (RSASHA256) and keep the ZSK as algorithm 13. The ZSK is the one making most of the signatures anyway, so that is where the big win would be.
But it seems like dnssec-signzone was giving me a lot of grief. I eventually got it to seem like it worked, but dnssec-verify seems to consistently give me the following error:
$ dnssec-verify -o example.com example.com.db.signed
Loading zone 'example.com' from file 'example.com.db.signed'
Verifying the zone using the following algorithms: RSASHA256.
Missing ZSK for algorithm RSASHA256
Missing self-signed KSK for algorithm ECDSAP256SHA256
No correct RSASHA256 signature for example.com SOA
No correct RSASHA256 signature for example.com NSEC
The zone is not fully signed for the following algorithms: RSASHA256 ECDSAP256SHA256.
dnssec-verify: fatal: DNSSEC completeness test failed.
So, my question is:
Is it legal with DNSSEC to have differing algorithms for the ZSK and KSK? If so, how can I sign verify the zone using the standard bind DNSSEC tools with such a configuration?
Aucun commentaire:
Enregistrer un commentaire