[dns-operations] DNSKEY signatures

Jelte Jansen jelte at isc.org
Mon Apr 19 22:27:44 UTC 2010

Hash: SHA1

On 04/19/2010 10:28 PM, George Barwood wrote:
> Edward,
> Thanks for the link.
> I have just noted the existence of  http://tools.ietf.org/html/rfc3757
> where it states
>    When signing a zone, it is intended that the key(s) with the SEP bit
>    set (if such keys exist) are used to sign the KEY RR set of the zone.
> which seems fairly conclusive. However, I can imagine a possible problem where a
> key is used as a SEP but the flag is not set. This could be because the key was
> created before the SEP flag was even defined (i.e. pre RFC3757) , or where a
> key without the SEP flag has been configured as a trust anchor. I think it's OK to
> assume that ONLY DS records are used as trust anchors in the absence of any special
> publishing arrangement. So it's maybe not 100% clear cut, but I think with normal
> operational practice ( delegation via DS records ), it's fine to sign the DNSKEY 
> RRset with just the SEP keys. I think the standard could be a bit stronger and say
> that keys that are to be used as an SEP ( either by DS records or as configured trust
> anchors ) MUST have the SEP bit set. But one can perhaps just put this in the 
> implementation's operating instructions instead.

Protocol-wise (in terms of RFC403X validation), SEP has no value.

I used to think of KSKs as signing the DNSKEY set, and ZSKs signing all.
I have since been convinced otherwise and now think of it like this;
they are independent properties.

A key can be a KSK (it signs the DNSKEY set), a ZSK (it signs every
RRset except DNSKEY), none (it's published but not actually used), or
both (it signs all rrsets).

Due to that section you previously mentioned, for every algorithm that
you have one or more keys in, you must have at least one that is a KSK
and one that is a ZSK, but this may be the same key. And if you have one
or more KSKs that are not ZSKs, you don't need your ZSK(s) to be KSKs
too (in fact having them not be saves packet space).

The SEP bit should only (but does not have to) be set on keys that have
the KSK property, it can be used by automation tools (either signers to
decide which keys to use for what, or pullers to decide which should be
seen as anchors or DS sources). If none of the tools use it (a lot do
though), it should be safe to set it to 0.


Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the dns-operations mailing list