On Wed, 12 Sep 2012, Rick van Rein wrote:
I'm looking at telling opendnssec to sign the DNSKEY RRset with both the
ZSK and KSK.
Interesting -- what would be the use of such a configuration?
It would introduce more signatures, and so more things to check (overhead,
delays) to the DNSKEY RRset, without introducing additional validation
paths because the KSK is the mechanism to validate DNSKEY RRsets.
Moreover, it could trigger concealed bugs -- for instance, a ZSK following
a different algorithm than the KSK could influence the set of algorithms
that is required by a validating resolver (presumably due to bugs) as a
result of doing something so unconventional.
I'm curious about your usage pattern that would make this a necessity?
The reason I noticed is because I'm signing a zone with bind and
opendnssec, then zero out the RRSIGs and compare the zones. This way
a bug in either bind or opendnssec would be spotted before a zone
is pushed live. The test fails because of the additional RRSIG.
I don't care much either way. I think resolvers all work with the ZSK
not signing the DNSKEY RRset.
Amusingly enough, bind's dnssec-signzone has a -x option to disable
the ZSK RRSIG over the DNSKEY RRset, but it seems to not work at all.
So I have two implementations that I can't seem to configure to act
the same, regardless of which of the two options would actually have
been preferred.
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
