-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Alexander,
On Wed, 27 Jul 2011, Alexander Gall wrote:
I'm about to implement algorithm rollover according to section 4.1.5
of rfc4641bis into our homegrown DNSSEC key management system. In the
step named "new RRSIGs", the zone is supposed to include the signature
of DNSKEY_K_2 over the DNSKEY RRset containing DNSKEY_Z_1 and
DNSKEY_K_1. The explanation for this is given as
new RRSIGs: The signatures made with the new key over all records in
the zone are added, but the key itself is not. This includes the
signature for the DNSKEY RRset. While in theory, the signatures
of the keyset should always be synchronized with the keyset
itself, it can be possible that RRSIGS are requested separately,
so it is prudent to also sign the DNSKEY set with the new
signature.
[Editorial: the last sentence should read "...to also sign the DNSKEY
set with the new key"]
Thanks.
I don't understand which corner case this is supposed to cover. The
relevant section of RFC4035 quoted in the draft says
There MUST be an RRSIG for each RRset using at least one DNSKEY of
each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset
itself MUST be signed by each algorithm appearing in the DS RRset
located at the delegating parent (if any).
My understanding of this is that there is no requirement for the
existence of the signature over the DNSKEY RRset by K_2 until the end
of the step "new DNSKEY", because up to that point, the DS doesn't
refer to algorithm 2 yet.
My understanding of this paragraph is that there MUST be an RRSIG for
each RRset using at least one key of each algorithm in the DNSKEY RRset.
So that includes the DNSKEY RRset itself. *In addition*, the DNSKEY RRset
MUST be signed with the algorithms appearing in the DS RRset.
The corner case tries to make clear that a DNSKEY RRset can be
treated as part of the chain of trust, but also can be treated as zone
content. In the latter case you want to make sure that the signatures
of the new algorithm are propagated before introducing the new DNSKEY.
Best regards,
Matthijs
The same reasoning appears to me to apply to the step "DNSKEY
removal". At that point, the DS record refers only to algorithm 2 and
the old DS record has expired. Therefore, RRSIG_K_1(DNSKEY) should not
be needed either.
What am I missing?
--
Alex
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJOMDbSAAoJEA8yVCPsQCW5eggH+wUOgX2l16gHGZjrQJpgshTh
ZRl8qF8NSyDrBXZB1/DVy57UWRhyP/lpAiQ/MFmwO+Y6ZnA+huxJAG8rb5VvmdNn
x5eJOjBkx/DHKVxKX89ove0m6oX92ollURuZmwX+QU6neD308aIdsD2jMgRosIdD
31Pv7DYyuL/X3BcbfK1Xyj2j3D93YpumLpeTgMdZePJwh50rAwvNw5oo2qmtvM2f
+3LnlsnlOZxCJbzMbkiEYqBOmozGg07mTrbMl5DQC8v3thcwc/Vl77G6M94ctPXE
sSjwygrQsZiTnr9KzAOUJrrHxsrpNi3/O31C64UGqRfVGu6Q4+mBRqdMf+utl58=
=zTXN
-----END PGP SIGNATURE-----
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
