[dns-operations] Double-signature validation "And" or "OR" ?

Mark Andrews marka at isc.org
Thu Jun 1 03:16:39 UTC 2017

In message <013b01d2da80$426d3cd0$c747b670$@cn>, =?gb2312?B?RGF2ZXkgU29uZyjLzsHWvaEp?= writes:
> Hi folks,
> I encounter a question on how DNSSEC validating resolver work if it
> receive double-signature. Does it require the resolver to validate
> both signatures or only one signature if that one is validated?
> I guess the relation of the two signature is logic "Or" for unique
> algorithm, and logic "And" for multiple algorithm. Because I read some
> resolver checks that a valid chain of trust exists for different algorithm
> separately (like Unbound). Is it true?
> Best regards,
> Davey

The rules are written this way to ensure that you *generate* answers
that can be validated by resolvers that just support algorithm A
and by those that just support algorithm B or those that support
both.  Those rules reference DNSKEYs.  Also a zone is only deemed
to be signed with a algorithm if there are DS records that say it
is signed with that algorithm at the parent.

Some validators took the presence of algorithms in DNSKEY records
to mean that answers are supposed to be signed that algorithm but
that ignored that the DNS is loosely coherent and that DS records
determine if a zone is supposed to be able to be validated using a
algorithm.  Those validators were mis-implementing DNSSEC.

A validator can choose OR or AND but it must use the DS records to
determine the set of algorithms that are active rather than those
in the DNSKEY RRset.  The two sets can be different.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list