Hi Daniel,

Would it be possible to activate more than one algorithm in a policy?

If not, how hard would it be to include that functionality?

Because for some reason a lot of ISP resolvers support RSA only while I would like to future-proof my zone with ED25519 at the same time.

Cheers,

Stefan

Am Do., 22. Juli 2021 um 19:56 Uhr schrieb Daniel Salzman <daniel.salzman@nic.cz>:

Hi Stefan,

I'm sorry, it's not possible to configure more DNSSEC policies (more
algorithms) per one zone at the same time.

Maybe, with the manual key management and more configuration files when
generating keys via keymgr, it could work somehow. But I'm not sure and
probably it's not what you are looking for :-)

Daniel

On 22. 07. 21 16:55, Schindler, Stefan wrote:
> Hi all
>
> I am currently running these two policies:
> ```
> policy:
> - id: edecc
> algorithm: ed25519
> nsec3: on
> - id: rsa
> algorithm: RSASHA256
> ksk-size: 2048
> zsk-size: 2048
> nsec3: on
> ```
>
> I tried enabling both with this command, but to no effect:
> ```
> dnssec-policy: [ edecc, rsa ]
> ```
>
> Is there a way to do both at the same time in one zone?
>
> I am currently running knot 3.0.8
>
> Cheers,
> Stefan
>