On Tue, May 18, 2021 at 01:07:42AM +0200, Matthäus Wander via dns-operations
wrote:
> > How does a validating resolver choose which signature to use. First
> > available? Stronger crypto? Both have to be valid through the chain?
> > Random?
>
> The resolver attempts validation of all signatures (for which it has
> algorithm support) until it finds one that validates correctly. One
> valid signature suffices.
That's likely typical, but there may resolvers out there that will
pick the strongest (in their estimation) supported algorithm, and
require that one to work.
Bottom line: make sure *all* your signatures are valid, if you sign
with multiple algorithms...
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
