Re: [DNSOP] CDS/CDNSKEY RRSet authentication

Sat, 29 Jul 2017 17:39:06 -0700 

In message <[email protected]>, Tony Finch
 writes:
> I think I have spotted a lacuna or possibly erratum in RFC 7344.
> 
> In section 4.1 bullet 2 it says:
> 
>    o  Signer: MUST be signed with a key that is represented in both the
>       current DNSKEY and DS RRsets, unless [unusual case]

It just means that signers that know about ksk/zsk have special rules
for cds and cdnskey.  This is from BIND's dnssec-signzone and causes
the cds and cdnskey rrsets to be signed with both ksk and zsk dnskeys.

                } else if (set->type == dns_rdatatype_cds ||
                           set->type == dns_rdatatype_cdnskey ||
                           iszsk(key)) {

> This allows a setup where
> 
> * the DNSKEY RRset contains a ZSK and a KSK
> 
> * the DNSKEY RRset is signed by the KSK (of course)
> 
> * the CDS and CDNSKEY RRsets are signed by the ZSK (weirdly)
> 
> * the parent contains DS records corresponding to both the KSK (of
>   course) and the ZSK (weirdly)
> 
> In this weird setup the ZSK's DS can't authenticate the delegation (per
> RFC 4035 section 5.2) but it does authenticate the CDS/CDNSKEY RRsets.
> 
> Is this intended?

The purpose was for the CDS/CDNSKEY tools to not have to fetch the
current DNSKEY RRset to be able to validate the records provided they
have a current KSK.
 
> Or was RFC 7344 supposed to say something like:
> 
>    o  Signer: MUST be signed with a DNSKEY RR that authenticates the
>       delegation as described in RFC 4035 section 5.2 or any subsequent
>       updates, unless [unusual case]
> 
> One particularly relevant update is RFC 4509 which has extra requirements
> about ignoring SHA-1 DS records if SHA-2 records are present. Should this
> check also apply to CDS / CDNSKEY RRsets?
> 
> Tony.
> -- 
> f.anthony.n.finch  <[email protected]>  http://dotat.at/  -  I xn--zr8h punycode
> Portland, Plymouth: Cyclonic, mainly west or southwest, 5 to 7. Moderate or
> rough. Rain then showers. Moderate or poor, becoming good.
> 
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]

_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to