[dns-operations] Multiple DS DNSSEC validation

Rubens Kuhl rubensk at nic.br
Tue Jul 11 03:08:54 UTC 2017

My reading of DNSSEC RFCs couldn't negate or confirm whether the DNSSEC architecture I'll describe below works or not. Any hints on that are appreciated.

A zone is delegated to 3 name servers (unicast for simplicity); those 3 name servers operate independently of each other, each of them having an unique key for that same zone. All of them have all 3 DNSKEY responses for that zone, the DNSKEY records being the same among all of them. 

A DS record for each of the name servers key is inserted into parent, making all RRSIGs produced by any of the name servers valid, including the RRSIG for the DNSKEY records. 

it just happens that depending on name server an specific key will be used, since each one only has its own private key, although knowing the public keys of all 3. 

Does this break anything ? If it indeed breaks, is there an alternative ?


More information about the dns-operations mailing list