[dns-operations] Multiple DS DNSSEC validation
Emil Natan
e at foowatch.com
Tue Jul 11 07:26:59 UTC 2017
> -------- Original Message --------
> Subject: [dns-operations] Multiple DS DNSSEC validation
> Local Time: July 11, 2017 6:08 AM
> UTC Time: July 11, 2017 3:08 AM
> From: rubensk at nic.br
> To: dns-operations <dns-operations at dns-oarc.net>
> My reading of DNSSEC RFCs couldn"t negate or confirm whether the DNSSEC architecture I"ll describe below works or not. Any hints on that are appreciated.
> A zone is delegated to 3 name servers (unicast for simplicity); those 3 name servers operate independently of each other, each of them having an unique key for that same zone. All of them have all 3 DNSKEY responses for that zone, the DNSKEY records being the same among all of them.
> A DS record for each of the name servers key is inserted into parent, making all RRSIGs produced by any of the name servers valid, including the RRSIG for the DNSKEY records.
> it just happens that depending on name server an specific key will be used, since each one only has its own private key, although knowing the public keys of all 3.
> Does this break anything ? If it indeed breaks, is there an alternative ?
As others mentioned this should work. One thing to pay attention to is all keys share the same algorithm. Otherwise the DNSKEY should be signed with a key of each algorithm.
Emil
> Rubens
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170711/1c6cc602/attachment.html>
More information about the dns-operations
mailing list