DS record RRSIG

[Tony Finch]

Josh Kuo <josh.kuo at gmail.com> wrote:
>
> There are 6 DS records total, but only 1 RRSIG. This leads me to believe
> that the single RRSIG is generated by somehow concatenating all DS records
> together.

Correct.

> This then leads me to believe that the validating resolver needs to
> process _all_ DS records, not just the ones whose key tag matches the
> child zone's KSK.

Not quite.

One way to validate a delegation is:

* validate the DS RRset, which is signed using the parent's DNSKEY(s)
  [ you can see the "com" signer field in the "example.com" RRSIG ]

* get the key tags from the DS RRset (the first field in the records)
  and the key tags from the child's DNSKEY RRSIG records (between lifetime
  fields and the signer field) and calculate the key tags of the
  child's DNSKEY records

* take the intersection of these three sets; these key tags identify keys
  that the parent says can validate the DNSKEY RRset, and that actually do
  validate the DNSKEY RRset, and that can be used to validate the DNSKEY
  RRset

* for each DNSKEY in the set, ensure that there is a DS record that
  whose digest matches it [ you can skip matching attempts when the key
  tags do not match ]

* using the public keys and signatures you just identified, try to
  validate the self-signature on the DNSKEY RRset; if any of the
  signatures validates, it's all good! [ again the key tags let you
  skip pointless signature validation attempts ]

There are some extra complications to do with downgrade protection, but
that's the basic idea.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
women and men working together