In message <alpine.deb.2.11.1707292141070.23...@grey.csi.cam.ac.uk>, Tony Finch writes: > I think I have spotted a lacuna or possibly erratum in RFC 7344. > > In section 4.1 bullet 2 it says: > > o Signer: MUST be signed with a key that is represented in both the > current DNSKEY and DS RRsets, unless [unusual case]
It just means that signers that know about ksk/zsk have special rules for cds and cdnskey. This is from BIND's dnssec-signzone and causes the cds and cdnskey rrsets to be signed with both ksk and zsk dnskeys. } else if (set->type == dns_rdatatype_cds || set->type == dns_rdatatype_cdnskey || iszsk(key)) { > This allows a setup where > > * the DNSKEY RRset contains a ZSK and a KSK > > * the DNSKEY RRset is signed by the KSK (of course) > > * the CDS and CDNSKEY RRsets are signed by the ZSK (weirdly) > > * the parent contains DS records corresponding to both the KSK (of > course) and the ZSK (weirdly) > > In this weird setup the ZSK's DS can't authenticate the delegation (per > RFC 4035 section 5.2) but it does authenticate the CDS/CDNSKEY RRsets. > > Is this intended? The purpose was for the CDS/CDNSKEY tools to not have to fetch the current DNSKEY RRset to be able to validate the records provided they have a current KSK. > Or was RFC 7344 supposed to say something like: > > o Signer: MUST be signed with a DNSKEY RR that authenticates the > delegation as described in RFC 4035 section 5.2 or any subsequent > updates, unless [unusual case] > > One particularly relevant update is RFC 4509 which has extra requirements > about ignoring SHA-1 DS records if SHA-2 records are present. Should this > check also apply to CDS / CDNSKEY RRsets? > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode > Portland, Plymouth: Cyclonic, mainly west or southwest, 5 to 7. Moderate or > rough. Rain then showers. Moderate or poor, becoming good. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop