[dns-operations] Multiple DS DNSSEC validation

Robert Martin-Legene rlegene at gmail.com
Tue Jul 11 03:34:26 UTC 2017


Quite an unusual setup, but off the top of my head, my instinct tells me it
would work. Not just for KSKs but also for ZSKs.

All keys get authorized by a signature by any of the keys pointed to by the
DS RRs.

On Tue, 11 Jul 2017, 00:14 Rubens Kuhl, <rubensk at nic.br> wrote:

>
> My reading of DNSSEC RFCs couldn't negate or confirm whether the DNSSEC
> architecture I'll describe below works or not. Any hints on that are
> appreciated.
>
> A zone is delegated to 3 name servers (unicast for simplicity); those 3
> name servers operate independently of each other, each of them having an
> unique key for that same zone. All of them have all 3 DNSKEY responses for
> that zone, the DNSKEY records being the same among all of them.
>
> A DS record for each of the name servers key is inserted into parent,
> making all RRSIGs produced by any of the name servers valid, including the
> RRSIG for the DNSKEY records.
>
> it just happens that depending on name server an specific key will be
> used, since each one only has its own private key, although knowing the
> public keys of all 3.
>
>
> Does this break anything ? If it indeed breaks, is there an alternative ?
>
>
>
> Rubens
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170711/ae4b3a0a/attachment.html>


More information about the dns-operations mailing list