On 19.3.2018 17:03, Daniel Stirnimann wrote: > Hello all, > > I noticed that Knot (2.6.5) creates an RRSIG for the CDS/CDNSKEY RRset > with the ZSK/CSK only. > > I was wondering if this is an acceptable behavior as RFC 7344, section > 4.1. CDS and CDNSKEY Processing Rules states: > > o Signer: MUST be signed with a key that is represented in both the > current DNSKEY and DS RRsets, unless the Parent uses the CDS or > CDNSKEY RRset for initial enrollment; in that case, the Parent > validates the CDS/CDNSKEY through some other means (see > Section 6.1 and the Security Considerations). > > Specifically I read that "represented in both the current DNSKEY and DS > RRsets" means that the CDS/CDNSKEY RRset must be signed with a KSK/CSK > and not only with a ZSK and a trust chain to KSK <- DS. > > I tested both BIND 9.12.1 and PowerDNS Auth 4.0.5 as well. PowerDNS Auth > behaves the same as Knot 2.6.5 but BIND 9.12.1 always signs the > CDS/CDNSKEY RRset with at least the KSK. > > Do I read the RFC rule too strict? To be honest, I see nothing wrong > with the CDS/CDNSKEY RRset only signed by the ZSK but BINDs behavior and > the not so clear RFC statement keeps me wondering.
We as Knot DNS developer cannot speak for other people implementing DNS protocol. This is mainly protocol question and as as such it is better suited for IETF dnsop working group: https://datatracker.ietf.org/wg/dnsop/about/ dnsop mailing list: https://www.ietf.org/mailman/listinfo/dnsop -- Petr Špaček @ CZ.NIC -- https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
