[dns-operations] DNSKEY signatures

George Barwood george.barwood at blueyonder.co.uk
Tue Apr 20 16:36:48 UTC 2010

----- Original Message ----- 
From: "Andrew Sullivan" <ajs at shinkuro.com>
To: <dns-operations at lists.dns-oarc.net>
Sent: Tuesday, April 20, 2010 2:42 PM
Subject: Re: [dns-operations] DNSKEY signatures

> On Mon, Apr 19, 2010 at 05:06:39PM +0100, George Barwood wrote:
>> It seems to me that DNSKEY RRsets should only  be signed with the keys that
>> are designated as secure entry points, that is keys with bit 15 set : DNSKEY Flags field = 257.
> That is explicitly denied by the RFCs.  

Hmm. Where? Maybe my use of "should" is not quite accurate. "may" might more accurate.

The RFCs (AFAIK) do not say anything how a client can know that a particular key is suitable for
use as a trust anchor. Thus this must to some extent lie outside the protocol. It is certainly
necessary to restrict the keys that are used - clients cannot just pick a key and hope for the best.
There might be an external protocol, or some validity statement "This trust anchor is valid
for five years, unless a message is posted to xxxx mailing list announcing an emergency rollover",
whatever. Of course the most common case by far will be to publish a DS record in the parent zone.

The RFCs do allow a Zone Signing Key to be used as a trust anchor, but it seems to me
that an implementation is free to restrict which keys may be used as trust anchors in any
way it sees fit, provided this is made clear (in documentation) to the zone administrator.

The two obvious ways are :
(a) Only keys with the SEP bit set may be used.
(b) Only published DS records may be used.

An implementation might provide a facility for a ZSK that is not
designated as a SEP to be used, but this seems to have no real use,
and is only likely to cause confusion I think.

Well, that's my interpretation so far, but quite possibly it is wrong.


> A
> -- 
> Andrew Sullivan
> ajs at shinkuro.com
> Shinkuro, Inc.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list