[dns-operations] ZSK algorithm different from DS/KSK algorithm?

Mark Andrews marka at isc.org
Thu Nov 16 21:27:31 UTC 2017


> On 17 Nov 2017, at 5:36 am, Casey Deccio <casey at deccio.net> wrote:
> 
> 
> 
>> On Nov 14, 2017, at 9:23 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>> Is it OK to have DS records for just algorithm 8, a KSK with algorithm 8,
>> but a ZSK with algorithm 7?
> 
> What is curious about this is that two of the three NSEC3 records are signed with both algs 7 and 8, and one (the NSEC3 corresponding to the closest enclosure) is only signed by alg 7.  I wonder what led to the inconsistency.  While for most (all?) implementations it should be fine, but as Mark indicated, for a validator that only supports alg 8, that makes the NSEC3 record bogus, as well as the negative proof.
> 
> http://dnsviz.net/d/_25._tcp.diogenes.leeuwarden.nl/WgupAQ/dnssec/?rr=all&a=8&ds=all&ta=.&tk

Named will produce a zone like this while it is incrementally signing
a zone with a new algorithm.  This conceptually no different to having
a load balancer with two versions of the zone one with only alg 8 and
one with alg 8 and alg 7.  The only difference is that you can occasionally
see artefacts like this.  Named signals when the zone is fully signed
with both algorithms.  At that point the DS for the new algorithm can be
published.

Zone signing for large zones is a lengthy process and produces a very
large delta if done as single operation.  This process impacts on the ability
to add new zone content while this is happening.

Generating a new NSEC3 chain has similar constraints.  When the chain
is fully generated the NSEC3PARAM record for the chain is added to the zone.

Mark

> Casey
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list