[dns-operations] DNSKEY signatures
george.barwood at blueyonder.co.uk
Mon Apr 19 20:28:27 UTC 2010
Thanks for the link.
I have just noted the existence of http://tools.ietf.org/html/rfc3757
where it states
When signing a zone, it is intended that the key(s) with the SEP bit
set (if such keys exist) are used to sign the KEY RR set of the zone.
which seems fairly conclusive. However, I can imagine a possible problem where a
key is used as a SEP but the flag is not set. This could be because the key was
created before the SEP flag was even defined (i.e. pre RFC3757) , or where a
key without the SEP flag has been configured as a trust anchor. I think it's OK to
assume that ONLY DS records are used as trust anchors in the absence of any special
publishing arrangement. So it's maybe not 100% clear cut, but I think with normal
operational practice ( delegation via DS records ), it's fine to sign the DNSKEY
RRset with just the SEP keys. I think the standard could be a bit stronger and say
that keys that are to be used as an SEP ( either by DS records or as configured trust
anchors ) MUST have the SEP bit set. But one can perhaps just put this in the
implementation's operating instructions instead.
----- Original Message -----
From: "Edward Lewis" <Ed.Lewis at neustar.biz>
To: <dns-operations at dns-oarc.net>
Cc: <ed.lewis at neustar.biz>
Sent: Monday, April 19, 2010 5:36 PM
Subject: Re: [dns-operations] DNSKEY signatures
> At 17:06 +0100 4/19/10, George Barwood wrote:
>>Any explanation? Am I missing something?
> Edward Lewis
> NeuStar You can leave a voice message at +1-571-434-5468
> Wouldn't it be nice if all of the definitions of equivalence were the same?
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations