Good catch. Thanks for identifying this and making it signed by both. -Rick
> -----Original Message----- > From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Mark Andrews > Sent: Saturday, July 29, 2017 5:39 PM > To: Tony Finch <d...@dotat.at> > Cc: dnsop@ietf.org > Subject: Re: [DNSOP] CDS/CDNSKEY RRSet authentication > > > In message <alpine.deb.2.11.1707292141070.23...@grey.csi.cam.ac.uk>, > Tony Finch > writes: > > I think I have spotted a lacuna or possibly erratum in RFC 7344. > > > > In section 4.1 bullet 2 it says: > > > > o Signer: MUST be signed with a key that is represented in both the > > current DNSKEY and DS RRsets, unless [unusual case] > > It just means that signers that know about ksk/zsk have special rules for cds > and cdnskey. This is from BIND's dnssec-signzone and causes the cds and > cdnskey rrsets to be signed with both ksk and zsk dnskeys. > > } else if (set->type == dns_rdatatype_cds || > set->type == dns_rdatatype_cdnskey || > iszsk(key)) { > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop