DS record RRSIG

Ondřej Surý ondrej at isc.org
Tue Jul 2 17:49:14 UTC 2019 

Yes, the whole RRSet is always signed.  Signing individual records would not protect against attacks stripping individual records and their RRSIGs.

Ondrej
--
Ondřej Surý
ondrej at isc.org

> On 2 Jul 2019, at 19:34, Josh Kuo <josh.kuo at gmail.com> wrote:
> 
> This may not be the right place to ask, if this is a better question asked in a different list, please let me know.
> 
> I am curious as to how BIND generates and processes DS RRSIG, and this may not be unique to BIND, since I've seen this behavior across multiple vendors. From the following:
> 
> $ dig example.com. DS +dnssec +nocrypto 
> 
> ; <<>> DiG 9.12.2-P2 <<>> example.com. DS +dnssec +nocrypto
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48102
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;example.com.	IN	DS
> 
> ;; ANSWER SECTION:
> example.com.	84558	IN	DS	43547 8 2 [omitted]
> example.com.	84558	IN	DS	31406 8 1 [omitted]
> example.com.	84558	IN	DS	31406 8 2 [omitted]
> example.com.	84558	IN	DS	31589 8 1 [omitted]
> example.com.	84558	IN	DS	31589 8 2 [omitted]
> example.com.	84558	IN	DS	43547 8 1 [omitted]
> example.com.	84558	IN	RRSIG	DS 8 2 86400 20190709042256 20190702031256 3800 com. [omitted]
> 
> ;; Query time: 228 msec
> ;; SERVER: 10.0.22.1#53(10.0.22.1)
> ;; WHEN: Wed Jul 03 01:27:42 PST 2019
> ;; MSG SIZE  rcvd: 455
> 
> There are 6 DS records total, but only 1 RRSIG. This leads me to believe that the single RRSIG is generated by somehow concatenating all DS records together. This then leads me to believe that the validating resolver needs to process _all_ DS records, not just the ones whose key tag matches the child zone's KSK. Is this true? It seems like a small overhead in the grand scheme of things, but that seems inefficient, if multiple DS records are left at the parent zone after a couple of key rollovers.
> 
> Any information on this would be appreciated.
> 
> -Josh
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list