Dear Guru(s),

If the following questions have already been asked, I do apologize and would very much appreciate the pointers to where I can read the answer(s).

I am currently ‘running’ a DNSsec-signed zone using Alg-8 [RSA/SHA2-256].

However, I would very much like to DNSsec-sign and publish my zone with two different algorithms (say, Alg-8 [RSA/SHA2-256] + Alg-13 [ECDSA-P256/SHA2-256]) *simultaneously*,
in case the client-validators out there cannot process one algorithm or the other (never mind that they both are the ‘MUST’ in RFC 8624).

It also is an opportunity to train myself in case I need to ‘add’ the third one (say, Alg-15 [ED25519]) or ‘migrate’ to the Alg-13 + Alg-15 combination in the future.

Background Information:
1. I have a ‘hidden server’ acting as ‘The Signer’.
2. ‘The Signer’ feeds the already-signed zone to the visible ‘Primary Server’.
3. The ‘Primary Server’, in turn, feeds all other ‘Secondary Servers’, some of which are not under my control.

4. Unfortunately, currently none of the above servers is a Knot, but I am switching The Signer to Knot.

My questions are:
5. What will be the correct configuration for The Knot Signer? I don’t mind maintaining two completely separated ‘Signed Trees’ of the same zone, unless cross-signing (the keys) between algorithms is the best practice.
6. Will there be any special configuration for the ‘Primary/Secondary Servers’? If so, I will then need to inform admins of the servers outside my control.

Thank you for any help you can offer, both on and off the mailing list.

Gratefully,

Pirawat.

_/_/ _/_/ _/_/ _/_/ Assist.Prof. Pirawat WATANAPONGSE, Ph.D.

_/_/ _/_/ _/_/ _/_/ Department of Computer Engineering

_/_/ _/_/ _/_/ _/_/ Kasetsart University, Bangkhen (Main) Campus

_/_/_/_/ _/_/ _/_/ Bangkok 10900, THAILAND

_/_/_/_/ _/_/ _/_/ eMail: Pirawat.W@ku.th or Pirawat.W@ku.ac.th

_/_/ _/_/ _/_/ _/_/ Tel: +66 2 797 0999 extension 1417

_/_/ _/_/ _/_/_/_/_/_/ Fax: +66 2 579 6245

_/_/ _/_/ _/_/_/_/ http://www.cpe.ku.ac.th/~pw/