14 Říj
2021
14 Říj
'21
8:45
Dear Guru(s),
If the following questions have already been asked, I do apologize and
would very much appreciate the pointers to where I can read the answer(s).
I am currently ‘running’ a DNSsec-signed zone using Alg-8 [RSA/SHA2-256].
However, I would very much like to DNSsec-sign and publish my zone with two
different algorithms (say, Alg-8 [RSA/SHA2-256] + Alg-13
[ECDSA-P256/SHA2-256]) *simultaneously*,
in case the client-validators out there cannot process one algorithm or the
other (never mind that they both are the ‘MUST’ in RFC 8624).
It also is an opportunity to train myself in case I need to ‘add’ the third
one (say, Alg-15 [ED25519]) or ‘migrate’ to the Alg-13 + Alg-15 combination
in the future.
Background Information:
1. I have a ‘hidden server’ acting as ‘The Signer’.
2. ‘The Signer’ feeds the already-signed zone to the visible ‘Primary
Server’.
3. The ‘Primary Server’, in turn, feeds all other ‘Secondary Servers’, some
of which are not under my control.
4. Unfortunately, currently none of the above servers is a Knot, but I am
switching The Signer to Knot.
My questions are:
5. What will be the correct configuration for The Knot Signer? I don’t mind
maintaining two completely separated ‘Signed Trees’ of the same zone,
unless cross-signing (the keys) between algorithms is the best practice.
6. Will there be any special configuration for the ‘Primary/Secondary
Servers’? If so, I will then need to inform admins of the servers outside
my control.
Thank you for any help you can offer, both on and off the mailing list.
Gratefully,
Pirawat.
--
_/_/ _/_/ _/_/ _/_/ Assist.Prof. Pirawat WATANAPONGSE,
Ph.D.
_/_/ _/_/ _/_/ _/_/ Department of Computer Engineering
_/_/ _/_/ _/_/ _/_/ Kasetsart University, Bangkhen (Main)
Campus
_/_/_/_/ _/_/ _/_/ Bangkok 10900, THAILAND
_/_/_/_/ _/_/ _/_/ eMail: Pirawat.W(a)ku.th or
Pirawat.W(a)ku.ac.th
_/_/ _/_/ _/_/ _/_/ Tel: +66 2 797 0999 extension 1417
_/_/ _/_/ _/_/_/_/_/_/ Fax: +66 2 579 6245
_/_/ _/_/ _/_/_/_/ http://www.cpe.ku.ac.th/~pw/