nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNSSEC Best Practices

From: Peter van Dijk <peter.van.dijk () powerdns com>
Date: Mon, 10 May 2021 13:53:03 +0200
On Tue, 2021-04-27 at 22:56 +0200, Arne Jensen wrote:

NB: The reason I'm writing 14 4, a.k.a. ECDSAP384SHA384 all along is that I've seen DNSSEC signatures with 14 2 
(ECDSAP384SHA256), which I would find quite weird.


This appears to be a frequent source of confusion.

In '14 4', '14' is the DNSSEC signing algorithm ECDSAP384SHA384 [1]. '4' is the DS digest algorithm SHA384 [2].

Then, '14 2', is still the DNSSEC signing algorithm ECDSAP384SHA384, and '2' is the DS digest algorithm SHA256.

The DNSSEC signing algorithm is used to sign the zone's content. The DS digest algorithm is what the parent zone uses 
to digest (hash) the child's DNSKEY (and this digest is then signed by whatever DNSSEC signing algorithm the parent 
chose).

So, '14 2' is not ECDSAP384SHA256, it's still ECDSAP384SHA384.

[1] https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
[2] https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
Previous By Date Next
Previous By Thread Next

Current thread: