child KEY RRs in parent zone

Edward Lewis lewis at tislabs.com
Wed Mar 22 19:01:25 UTC 2000 

At 1:49 PM -0500 3/22/00, Roy Arends wrote:
>RFC 2535, 6.3, states that a KEY RR record of a secured zone may be
>present in the parent zone. If A parent decides not to include the childs
>KEY RR in its zone, how can V8/V9 (dns)signer be instructed to sign the
>childs key (without the key being included in the zone). I think it
>cannot. If that's the case then ehhhh, well ehhhh, what then ?

Historical accidents...when the V8 singer was written, the spec either said
that the parent had to hold the child's keys, or it was read that way.  I
am not sure which is the case.

The entire .PARENT file mechanism is an old-BIND accident, not a DNSSEC
protocol requirement.  While writing the code, we were aware of the problem
created by .PARENT files, but it was a low priority to fix early on.  Then
came the first workshop last year which moved the issue to a "major
problem."

Now, what I mean by a "old-BIND accident" is that when BIND (vers 4 & 8)
loads a zone, it wipes out all information already known about the zone.
Ignoring refreshes of a zone (AXFR's and HUPs), this means that if a server
hosts both zone "a." and "b.a.", the cut point in "a." creating "b.a." is
deleted and replaced by the stuff in the new zone.

Until DNSSEC, this wasn't a problem.  The records at the upper part of a
cut point deferred to the ones below.  The NXT and the SIG (KEY) derived by
the parent changed that.  The PARENT mechanism was invented to avoid having
to rewrite db_load's semantics.

Suffice it to say, BIND 9 will not act the same way when loading the child
of a parent-child pair.  Thus, the .PARENT file contraption will bite the
dust.

>Might this (child key not mandatory for parent zone) be the reason that
>the -p (p1,po,ps,no-p1,no-ps) are not in signer V9, or is it just a beta
>issue ?

Yup - please join us in a round of "Death to the .PARENT file!"

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis at tislabs.com

"Trying is the first step to failure." - Homer Simpson
"No! Try not. Do... or do not. There is no try." - Yoda
"It takes years of training to know when to do nothing" - Dogbert 1/21/00

Opinions expressed are property of my evil twin, not my employer.

More information about the bind-users mailing list