[dns-operations] DNSKEY signatures

[George Barwood]

Edward,

Thanks for the link.

I have just noted the existence of  http://tools.ietf.org/html/rfc3757

where it states

   When signing a zone, it is intended that the key(s) with the SEP bit
   set (if such keys exist) are used to sign the KEY RR set of the zone.
which seems fairly conclusive. However, I can imagine a possible problem where a
key is used as a SEP but the flag is not set. This could be because the key was
created before the SEP flag was even defined (i.e. pre RFC3757) , or where a
key without the SEP flag has been configured as a trust anchor. I think it's OK to
assume that ONLY DS records are used as trust anchors in the absence of any special
publishing arrangement. So it's maybe not 100% clear cut, but I think with normal
operational practice ( delegation via DS records ), it's fine to sign the DNSKEY 
RRset with just the SEP keys. I think the standard could be a bit stronger and say
that keys that are to be used as an SEP ( either by DS records or as configured trust
anchors ) MUST have the SEP bit set. But one can perhaps just put this in the 
implementation's operating instructions instead.

George

----- Original Message ----- 
From: "Edward Lewis" <Ed.Lewis at neustar.biz>
To: <dns-operations at dns-oarc.net>
Cc: <ed.lewis at neustar.biz>
Sent: Monday, April 19, 2010 5:36 PM
Subject: Re: [dns-operations] DNSKEY signatures


> At 17:06 +0100 4/19/10, George Barwood wrote:
> 
>>Any explanation? Am I missing something?
> 
> http://dnssec-deployment.org/pipermail/dnssec-deployment/2009-September/003387.html
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis
> NeuStar                    You can leave a voice message at +1-571-434-5468
> 
> Wouldn't it be nice if all of the definitions of equivalence were the same?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations