Good catch. Thanks for identifying this and making it signed by both. -Rick
> -----Original Message----- > From: DNSOP [mailto:[email protected]] On Behalf Of Mark Andrews > Sent: Saturday, July 29, 2017 5:39 PM > To: Tony Finch <[email protected]> > Cc: [email protected] > Subject: Re: [DNSOP] CDS/CDNSKEY RRSet authentication > > > In message <[email protected]>, > Tony Finch > writes: > > I think I have spotted a lacuna or possibly erratum in RFC 7344. > > > > In section 4.1 bullet 2 it says: > > > > o Signer: MUST be signed with a key that is represented in both the > > current DNSKEY and DS RRsets, unless [unusual case] > > It just means that signers that know about ksk/zsk have special rules for cds > and cdnskey. This is from BIND's dnssec-signzone and causes the cds and > cdnskey rrsets to be signed with both ksk and zsk dnskeys. > > } else if (set->type == dns_rdatatype_cds || > set->type == dns_rdatatype_cdnskey || > iszsk(key)) { > _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
