[dns-operations] DNSKEY signatures
george.barwood at blueyonder.co.uk
Mon Apr 19 16:06:39 UTC 2010
It seems to me that DNSKEY RRsets should only be signed with the keys that
are designated as secure entry points, that is keys with bit 15 set : DNSKEY Flags field = 257.
However the examples I have seen (including RFC 4035) all seem to sign the DNSKEY RRset with
the zone signing key(s) as well.
The standard ( http://tools.ietf.org/html/rfc4035#section-2.2 ) says
There MUST be an RRSIG for each RRset using at least one DNSKEY of
each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset
itself MUST be signed by each algorithm appearing in the DS RRset
located at the delegating parent (if any).
But this doesn't seem to explain the observed practice.
Any explanation? Am I missing something?
More information about the dns-operations