[dns-operations] Multiple DS DNSSEC validation

Mark Andrews marka at isc.org
Tue Jul 11 03:47:12 UTC 2017


In message <01CFB6F2-54AD-4234-999E-975E117A32C8 at nic.br>, Rubens Kuhl writes:
>
> My reading of DNSSEC RFCs couldn't negate or confirm whether the DNSSEC
> architecture I'll describe below works or not. Any hints on that are
> appreciated.
>
> A zone is delegated to 3 name servers (unicast for simplicity); those 3
> name servers operate independently of each other, each of them having an
> unique key for that same zone. All of them have all 3 DNSKEY responses
> for that zone, the DNSKEY records being the same among all of them.
>
> A DS record for each of the name servers key is inserted into parent,
> making all RRSIGs produced by any of the name servers valid, including
> the RRSIG for the DNSKEY records.
>
> it just happens that depending on name server an specific key will be
> used, since each one only has its own private key, although knowing the
> public keys of all 3.
>
>
> Does this break anything ? If it indeed breaks, is there an alternative ?

It shouldn't break anything.  That said there have been cases where
validators do the wrong thing.

Mark

> Rubens
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list