Hello, my understanding of the RFC series is, that if an RFC B obsoletes RFC A, then RFC B cannot briefly mention a subject and refer to RFC A for details.
At https://tools.ietf.org/html/rfc4033 , https://tools.ietf.org/html/rfc4034 and https://tools.ietf.org/html/rfc4035 is written that these RFCs together obsolete RFC 3755 and RFC 3757. The obsoleting text is in the Introduction of RFC 4033. RFC 4033 Section 2 „Definitions of Important DNSSEC Terms“ says: „Key signing keys are discussed in more detail in [RFC3757].“ In “3.1. Data Origin Authentication and Data Integrity” it states “See [RFC3755] for details.” RFC 4034 contains in section “2.1.1. The Flags Field”: “Bit 15 of the Flags field is the Secure Entry Point flag, described in [RFC3757].” So RFC 4033 obsoletes RFC 3757, mentions briefy the term “Key signing keys” and refers to RFC 3757 for details. This way of describing adds additional complexity for the reader to understand DNSSEC, as it is not clear in which order to read the RFCs to understand the topics and leaves unclear, whether obsoleted RFCs shall be read. -- I have a question about https://tools.ietf.org/html/rfc4035#appendix-A “Signed Zone Example” for the zone “example.”: The zone contains: 3600 DNSKEY 256 3 5 ( AQOy1b*Yvh0z2542lzMKR4Dh8uZffQ== ) ;{id = 38519 (zsk), size = 1024b} 3600 DNSKEY 257 3 5 ( AQOeX7+*k5/j8vfd4jWCWD+E1Sze0Q== ) ;{id = 9465 (ksk), size = 1024b} 3600 RRSIG DNSKEY 5 1 3600 20040509183619 ( 20040409183619 9465 example. ZxgauAuI*1Tp4VKDqxqG7R5tTVM= ) 3600 RRSIG DNSKEY 5 1 3600 20040509183619 ( 20040409183619 38519 example. eGL0s90g*aFzHKillDt3HRxHIZM= ) For brevity I have replaced some base64-encoded text with *. The id=(zks/ksk) comments are not part of the RFCs. I extracted them with ldns-read-zone. The DNSKEY 256 is the Zone-Signing-Key with id 38519 and 257 is the Key-Signing-Key id 9465. My understanding is that the root zone (.) has signed one DS record for the example. zone and this DS record in practice refers to the 257 Key-Signing-Key. Then the resolver validates that the hash in the DS record matches a KSK DNSKEY in the zone appex and that this DNSKEY validates the RRSIG. The valid RRSIG validates and covers all DNSKEYs, meaning the ZSK DNSKEY is validated this way. Why does example. zone contain a RRSIG for DNSKEY that are signend by the ZSK? Compare to DS IANA.ORG, which returns currently six DS records for three distinct DNSKEYs with labels 6730, 14351 and 39817 (delv +short DS IANA.ORG): 6730 8 1 15A1EE709E51C0652799D9CD364A37ACB8E67285 6730 8 2 FCA03776FA33AB57369AAE8B089938F4001E208094362734242A7EBE 4DDB5755 14351 8 1 4C08C05754DDA7CCF62B41AC450873D271221CC3 14351 8 2 E1A0C92C0663202240FC3481F747D00901CD14E268B884A1142D7A47 5DB1A810 39817 8 1 4B2634F69EDD8D0741DA8629E2064B05E8138E51 39817 8 2 5FB72AE84C35A35DDF7FA24EA791CD9763C4360979C0CBB6FF2C407A F9AE5802 delv +dnssec DNSKEY IANA.ORG returns: DNSKEY 256 3 8 AwEAAbS+H*zJr ; ZSK; alg = RSASHA256 ; key id = 41470 DNSKEY 256 3 8 AwEAAc0xH*yrP ; ZSK; alg = RSASHA256 ; key id = 1723 DNSKEY 257 3 8 AwEAAa02O*qU= ; KSK; alg = RSASHA256 ; key id = 21911 DNSKEY 257 3 8 AwEAAb0i1*Ik= ; KSK; alg = RSASHA256 ; key id = 39817 RRSIG DNSKEY 8 2 3600 20191127114538 20191106083616 21911 iana.org. bdC*3A== RRSIG DNSKEY 8 2 3600 20191127114538 20191106083616 39817 iana.org. ADP*XEQ== So the RRSIG are signed only by KSKs (21911 and 39817) and the ZSK are not used to generate RRSIG for the DNSKEYs. I guess label 39817 is in a roll-over process and will disappear soon. Why the example from RFC 4035 Appendix A generats RRSIG for DNSKEY signed by the ZSK, but for IANA.ORG there is no such RRSIG? If this is not the right mailing list, which is the right one? Greetings Дилян _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
