DS record RRSIG
Tony Finch
dot at dotat.at
Tue Jul 2 18:15:51 UTC 2019
Josh Kuo <josh.kuo at gmail.com> wrote:
>
> There are 6 DS records total, but only 1 RRSIG. This leads me to believe
> that the single RRSIG is generated by somehow concatenating all DS records
> together.
Correct.
> This then leads me to believe that the validating resolver needs to
> process _all_ DS records, not just the ones whose key tag matches the
> child zone's KSK.
Not quite.
One way to validate a delegation is:
* validate the DS RRset, which is signed using the parent's DNSKEY(s)
[ you can see the "com" signer field in the "example.com" RRSIG ]
* get the key tags from the DS RRset (the first field in the records)
and the key tags from the child's DNSKEY RRSIG records (between lifetime
fields and the signer field) and calculate the key tags of the
child's DNSKEY records
* take the intersection of these three sets; these key tags identify keys
that the parent says can validate the DNSKEY RRset, and that actually do
validate the DNSKEY RRset, and that can be used to validate the DNSKEY
RRset
* for each DNSKEY in the set, ensure that there is a DS record that
whose digest matches it [ you can skip matching attempts when the key
tags do not match ]
* using the public keys and signatures you just identified, try to
validate the self-signature on the DNSKEY RRset; if any of the
signatures validates, it's all good! [ again the key tags let you
skip pointless signature validation attempts ]
There are some extra complications to do with downgrade protection, but
that's the basic idea.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
women and men working together
More information about the bind-users
mailing list