Re: [knot-dns-users] Enabling RSA2k and ED25519 at the same time

Hello. On 23/07/2021 16.13, Schindler, Stefan wrote: As the current DNSSEC standards go, I think it's normally not worth using two algorithms at once on a single zone (except temporarily when changing from one to another).  Validators will succeed when validation with *any* of the algorithms succeeds. Therefore adding a stronger algo won't make the result stronger (attackers can choose which one to compromise) - at least until the weaker algo gets (commonly) considered as insecure. Weirdly enough, DNSSEC validators do not do that even with short RSAs - one problem is that standardized (non-)support mechanism is independent of key length.  That's OK for the new fixed-length algos but not so much for RSA. --Vladimir | knot-resolver.cz