[dns-operations] DNSKEY signatures

Andrew Sullivan ajs at shinkuro.com
Tue Apr 20 17:00:47 UTC 2010

On Tue, Apr 20, 2010 at 05:36:48PM +0100, George Barwood wrote:
> Hmm. Where? Maybe my use of "should" is not quite accurate. "may" might more accurate.

Yes, you may use it this way.  But 3757 is quite clear that there is
no in-protocol consequence of the SEP bit.  Moreover, 4035 §5 makes
perfectly clear what the criteria are for validation, and the SEP bit
is not among them.

> The RFCs (AFAIK) do not say anything how a client can know that a particular key is suitable for
> use as a trust anchor. 

You got it via the trust-anchor-getting mechanism.  4035, §5:

   To use DNSSEC RRs for authentication, a security-aware resolver
   requires configured knowledge of at least one authenticated DNSKEY or
   DS RR.  The process for obtaining and authenticating this initial
   trust anchor is achieved via some external mechanism.  For example, a
   resolver could use some off-line authenticated exchange to obtain a
   zone's DNSKEY RR or to obtain a DS RR that identifies and
   authenticates a zone's DNSKEY RR.  The remainder of this section
   assumes that the resolver has somehow obtained an initial set of
   trust anchors.

> whatever. Of course the most common case by far will be to publish a DS record in the parent zone.

Right.  And 4035 also explains what the restriction is there.  The
DNSKEY RR has to have the Zone Key Flag set, but it doesn't need to
have the SEP bit.

> The RFCs do allow a Zone Signing Key to be used as a trust anchor, but it seems to me
> that an implementation is free to restrict which keys may be used as trust anchors in any
> way it sees fit, provided this is made clear (in documentation) to the zone administrator.

Oh, I think I may have misunderstood you.  Of course an administrative
tool could refuse to sign a zone with a key that didn't have the SEP
bit set.  IMO this would be a mistake, because I don't really believe
that every zone ought to _have_ different KSKs and ZSKs.

> (a) Only keys with the SEP bit set may be used.

The problem here is that many people seem to have developed the
unfortunate belief that SEP == KSK and nothing else.  I don't want to
reinforce that.

> (b) Only published DS records may be used.

The problem here is that you couldn't use a special trust-anchor-only
signer for particular cases.  I think that might be bad too.  Also,
one mode of signing is that you sign with the new key and only then
send the DS along, because maybe the parent wants to check to see
whether the DS actually corresponds to some key you have in your zone.


Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.

More information about the dns-operations mailing list