[dns-operations] Multiple DS DNSSEC validation

Paul Vixie paul at redbarn.org
Tue Jul 11 03:55:25 UTC 2017

Robert Martin-Legene wrote:
> Quite an unusual setup, but off the top of my head, my instinct tells me
> it would work. Not just for KSKs but also for ZSKs.

in the yeti-dns project, each distribution master has its own zsk, and 
they share a ksk. each of us generates rrsigs only using our own zsk, 
plus an apex signature covering the full dnskey rrset (1 ksk, 3 zsk's).

it's a copy of the iana root zone, so, there are no DS RRs for these 
keys. only the configured trust anchor, which pertains only to the KSK, 
identifies or validates these keys.

validation works fine -- no warnings, no unexplained failures.

> All keys get authorized by a signature by any of the keys pointed to by
> the DS RRs.

intuitively, it ought to work fine for any zone for which DS RRs exist 
(so, any non-root zone). validators look for working paths and ignore 
non-working paths. only if there are no working paths does failure occur.

P Vixie

More information about the dns-operations mailing list