DNSSEC Best Practices

• Previous message (by thread): RADb
• Next message (by thread): T-Mobile RF Engineer Contact
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2021-04-27 at 22:56 +0200, Arne Jensen wrote:
> NB: The reason I'm writing 14 4, a.k.a. ECDSAP384SHA384 all along is that I've seen DNSSEC signatures with 14 2 (ECDSAP384SHA256), which I would find quite weird.

This appears to be a frequent source of confusion.

In '14 4', '14' is the DNSSEC signing algorithm ECDSAP384SHA384 [1]. '4' is the DS digest algorithm SHA384 [2].

Then, '14 2', is still the DNSSEC signing algorithm ECDSAP384SHA384, and '2' is the DS digest algorithm SHA256.

The DNSSEC signing algorithm is used to sign the zone's content. The DS digest algorithm is what the parent zone uses to digest (hash) the child's DNSKEY (and this digest is then signed by whatever DNSSEC signing algorithm the parent chose).

So, '14 2' is not ECDSAP384SHA256, it's still ECDSAP384SHA384.

[1] https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
[2] https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

• Previous message (by thread): RADb
• Next message (by thread): T-Mobile RF Engineer Contact
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]