DNSSEC Best Practices

Peter van Dijk peter.van.dijk at powerdns.com
Mon May 10 11:53:03 UTC 2021

On Tue, 2021-04-27 at 22:56 +0200, Arne Jensen wrote:
> NB: The reason I'm writing 14 4, a.k.a. ECDSAP384SHA384 all along is that I've seen DNSSEC signatures with 14 2 (ECDSAP384SHA256), which I would find quite weird.

This appears to be a frequent source of confusion.

In '14 4', '14' is the DNSSEC signing algorithm ECDSAP384SHA384 [1]. '4' is the DS digest algorithm SHA384 [2].

Then, '14 2', is still the DNSSEC signing algorithm ECDSAP384SHA384, and '2' is the DS digest algorithm SHA256.

The DNSSEC signing algorithm is used to sign the zone's content. The DS digest algorithm is what the parent zone uses to digest (hash) the child's DNSKEY (and this digest is then signed by whatever DNSSEC signing algorithm the parent chose).

So, '14 2' is not ECDSAP384SHA256, it's still ECDSAP384SHA384.

[1] https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
[2] https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the NANOG mailing list