DS record RRSIG

Josh Kuo josh.kuo at gmail.com
Tue Jul 2 18:11:36 UTC 2019 

Thank you for the clarification.

On Wed, Jul 3, 2019 at 1:49 AM Ondřej Surý <ondrej at isc.org> wrote:

> Yes, the whole RRSet is always signed.  Signing individual records would
> not protect against attacks stripping individual records and their RRSIGs.
>
> Ondrej
> --
> Ondřej Surý
> ondrej at isc.org
>
> > On 2 Jul 2019, at 19:34, Josh Kuo <josh.kuo at gmail.com> wrote:
> >
> > This may not be the right place to ask, if this is a better question
> asked in a different list, please let me know.
> >
> > I am curious as to how BIND generates and processes DS RRSIG, and this
> may not be unique to BIND, since I've seen this behavior across multiple
> vendors. From the following:
> >
> > $ dig example.com. DS +dnssec +nocrypto
> >
> > ; <<>> DiG 9.12.2-P2 <<>> example.com. DS +dnssec +nocrypto
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48102
> > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 4096
> > ;; QUESTION SECTION:
> > ;example.com. IN      DS
> >
> > ;; ANSWER SECTION:
> > example.com.  84558   IN      DS      43547 8 2 [omitted]
> > example.com.  84558   IN      DS      31406 8 1 [omitted]
> > example.com.  84558   IN      DS      31406 8 2 [omitted]
> > example.com.  84558   IN      DS      31589 8 1 [omitted]
> > example.com.  84558   IN      DS      31589 8 2 [omitted]
> > example.com.  84558   IN      DS      43547 8 1 [omitted]
> > example.com.  84558   IN      RRSIG   DS 8 2 86400 20190709042256
> 20190702031256 3800 com. [omitted]
> >
> > ;; Query time: 228 msec
> > ;; SERVER: 10.0.22.1#53(10.0.22.1)
> > ;; WHEN: Wed Jul 03 01:27:42 PST 2019
> > ;; MSG SIZE  rcvd: 455
> >
> > There are 6 DS records total, but only 1 RRSIG. This leads me to believe
> that the single RRSIG is generated by somehow concatenating all DS records
> together. This then leads me to believe that the validating resolver needs
> to process _all_ DS records, not just the ones whose key tag matches the
> child zone's KSK. Is this true? It seems like a small overhead in the grand
> scheme of things, but that seems inefficient, if multiple DS records are
> left at the parent zone after a couple of key rollovers.
> >
> > Any information on this would be appreciated.
> >
> > -Josh
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190703/f4d890e5/attachment.html>

More information about the bind-users mailing list