DS record RRSIG
Josh Kuo
josh.kuo at gmail.com
Tue Jul 2 17:34:12 UTC 2019
This may not be the right place to ask, if this is a better question asked
in a different list, please let me know.
I am curious as to how BIND generates and processes DS RRSIG, and this may
not be unique to BIND, since I've seen this behavior across multiple
vendors. From the following:
$ dig example.com. DS +dnssec +nocrypto
; <<>> DiG 9.12.2-P2 <<>> example.com. DS +dnssec +nocrypto
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48102
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.com. IN DS
;; ANSWER SECTION:
example.com. 84558 IN DS 43547 8 2 [omitted]
example.com. 84558 IN DS 31406 8 1 [omitted]
example.com. 84558 IN DS 31406 8 2 [omitted]
example.com. 84558 IN DS 31589 8 1 [omitted]
example.com. 84558 IN DS 31589 8 2 [omitted]
example.com. 84558 IN DS 43547 8 1 [omitted]
example.com. 84558 IN RRSIG DS 8 2 86400 20190709042256 20190702031256 3800
com. [omitted]
;; Query time: 228 msec
;; SERVER: 10.0.22.1#53(10.0.22.1)
;; WHEN: Wed Jul 03 01:27:42 PST 2019
;; MSG SIZE rcvd: 455
There are 6 DS records total, but only 1 RRSIG. This leads me to believe
that the single RRSIG is generated by somehow concatenating all DS records
together. This then leads me to believe that the validating resolver needs
to process _all_ DS records, not just the ones whose key tag matches the
child zone's KSK. Is this true? It seems like a small overhead in the grand
scheme of things, but that seems inefficient, if multiple DS records are
left at the parent zone after a couple of key rollovers.
Any information on this would be appreciated.
-Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190703/1c2a0d67/attachment.html>
More information about the bind-users
mailing list