On 2023-02-03 21:31, Edward Lewis via Opendnssec-user wrote:
In setting up a trial of opendnssec, I see " <Algorithm
length="2048">8</Algorithm> " in kasp.xml to set up a 2K RSA-SHA-256
key. I want to change to Ed25519 ("15" according to the IANA registry
for those things), which I can do by changing the "8" above to "15".
My question- must I specify the length? I've tried looking for
documentation about the kasp.xml syntax, but cannot find anything
since 2014, cannot find any examples that use any non-RSA-based
algorithm. That document said that OpenDNSSEC could not do a
algorithm roll over, but using OpenDNSSEC 2.something, I got it to
work, so I suspect that documentation is way out of date.
Dear Edward and list,
First, the documentation is re-setup because it really needs to be
revamped indeed. OpenDNSSEC now indeed supports algorithm rollover
fully and the non_RSA algorithms, it is mentioned on the web-site
and on the wiki, but not clearly at all.
Then for your question. The specification for the KASP requires
you to give a size for the number of bits, just because of
syntax checking of the KASP files. This might be considered a
bit of a relic, but on the other hand many algorithms need it.
That's why a length needs to be set, and a length must be larger
than 0. But for ECDSA and Edward curves this value isn't used.
I managed to get a configuration to work for Ed25519, but not if I
omit the length nor if I set the length to 0.
For general information - is there a more-recent-than-2014 document
for kasp.xml? Is there a detailed spec for the "Algorithm" XML "key
word"?
As said, the documentation is being updated, I'll give a post once there
is enough info there. The Validity also now allows you to specify a
separate duration for the keyset and there is an option for non-signed
zones.
With kind regards,
Berry van Halderen
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
