[dns-operations] TLD .law - non-signing KSK with referenced DS

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Jan 14 10:30:07 UTC 2022 

On Fri, Jan 14, 2022 at 10:09:04AM +0000, Matthew Richardson wrote:

> Looking visually at the DNSViz output, the KSK 16819 does look strange as
> it is referenced by a DS but does not sign anything.
> 
> Out of interest, do folks think this is a valid configuration?

Looks valid to me, because another KSK for the same algorithm and
choice of hash does sign the DNSKEY RRset:

    law. IN DS 16819 8 2 95780a78d18660435d9ca2cd540eab240d82bca353d2d4519fa1572735fbb64c
    law. IN DS 59981 8 2 59a00484d23b01cf601679a4010858bd1111416d534090708dd0ebc67b194a8a

    law.  7144 IN RRSIG DNSKEY 8 1 7200 (
                  20220216030538 20220112024947 59981 law.
                  KhqErDzZ2apFJa8Ei549/ET8klrc4h90I1KWe4C6JRRN
                  BqJM6d9P9YzI57KX0T7Q/wV9X6Y119JJ16MxJVtc0W0i
                  qcdmvfqsU6WFCZZn/xbS32YHx9cRbIWyywueVMGNCK+N
                  uqeS0G28XOTYxKMTAsnJOx2MXlhNoYxEBzionGAqgwTh
                  Gz8dLE2B/+1OY465VtKXpWuLvB6B4mJbH8XYThd/Ry/G
                  w+0dBzdphiWLQmmEmlWreqNNJYiV+72NVXakM76KWKgL
                  eTT7v/8Say35HjlaZeVAtLKgTR2EyrdURqDsR/EDLSot
                  kC1NbyBPjqrIDvvu3GaYV0nT8Rurb/yQyQ== )
    law.  7144 IN DNSKEY 257 3 8 (
                  AwEAAa+2KvOfIuBFFIwoKCcWJueYv+Es9kgSaaCCDvAb
                  6i9ESIQvJfxzddQnOwr3QCLQ6zjWZx4FfYqpS7SQR6kK
                  ttTB7i8kz35Rf1M4LbElYbhb5qWVUO9qGkzXOr3UOgFS
                  4JaGzdvpb47h+dmsix46NNMeirn8uH9KYi73BG9rDUJF
                  ICNGLqp5ikkXLevxqSVIfvn1aZzjYrkJMTwlNoKHu3CW
                  7IZNoF4L/Aqoams9X2jML5H1/+KkRXT+wflTZOc0AnMD
                  wusTlEYACJWxo2u6njmwGFaJrhWKsghar5wsTnmBiRf/
                  GRbXX+shX4a4ceDxvE+s7Y8qVe8cvhxeY+kC/f0=
                  ) ; KSK; alg = RSASHA256 ; key id = 59981
    law.  7144 IN DNSKEY 257 3 8 (
                  AwEAAfKTNLkKt3RPm/CnRLWo8sFgnxECNvusQi+G3nOJ
                  TyVivOkRgjVaXu9kHAhMA3OSVrLdFwfqQSp69afx0iaA
                  3AmTa2dHAV9zt7dwHshgU6ij59Pn3f5A8ZW0hg/KwhEu
                  KRF6fiSR4Y/cOH9SeLJyI4GWECO1/Fhq4brzzlzy8mme
                  IHfdgxGMUWCm6HjTDZkRoYuhNeQpl3pza1PlHOwRt2mk
                  v5LrlLEINRUiLOW7O7GI/Gmgra1qidZlddqt5dsl7nC5
                  DW63d1uDA+i8jukJAviG6OAVyaKU737hZNnUg3iLIvr/
                  0M+gibbqG6x9AMX+kfswgsxetDqmqs9gzBvma4M=
                  ) ; KSK; alg = RSASHA256 ; key id = 16819
    law.  7144 IN DNSKEY 256 3 8 (
                  AwEAAfCS3/rPe3RcIpMcCcMe6jn3e3hs07fJ7B7OHCHU
                  +fnOAb51XcOmSqejpq7R7tKfsRKl2fywZ4q+1SaAhKj5
                  yya1dbN8rrAQVcPWmbG15LZZ45BXcooC55v36pZH3/Mr
                  pGIhiKQfWRcAq1cc19fZJ25e6VeXMvCQDEEbZjSpLP5U
                  UrxVEafllZfmB4nHsduNCXBXVpBO5TtGeM2YOiLG2oHY
                  +hMiQa5FSkmMKivRQjcbgnV42PHSg8GlB/if6dc9pdM3
                  leAOw9ZqmlThQVfhnY0H6Gp0Jfm2HDRQxDshqAvVO/Wi
                  OqbvxiB69JGYoIKSn80HNq0i5omR+A/Qkk0PTH0=
                  ) ; ZSK; alg = RSASHA256 ; key id = 18780
    law.  7144 IN DNSKEY 256 3 8 (
                  AwEAAefLijZa02MOX319KWTNcLzc4shANo2Br9iM3iMM
                  OMZC1A1PxrVw91maEuFd/9MUfi3r6cq/oaHZzqq4pKUw
                  nf1ARhEdgykivK0XyFwCfvWrHKanhgNl50xgrGyyPasl
                  IzjrBcmWuM1GrLXuq/7zlWaHvrfkl4aJw9lKdnqwGl2C
                  TPcVMrtUEM1TaqsnpAyoJfK9slIWZ+buYXwoMEbyk2k=
                  ) ; ZSK; alg = RSASHA256 ; key id = 51180

-- 
    Viktor.

More information about the dns-operations mailing list