KSK signing zone records
raf
bind at raf.org
Thu Sep 2 01:42:10 UTC 2021
On Thu, Sep 02, 2021 at 11:15:32AM +1000, Mark Andrews <marka at isc.org> wrote:
> The primary reason that it is per algorithm is that validators and
> signers are not required to support the same sets of algorithms and
> if you want validation to work for everyone the zone has to be fully
> signed for each algorithm that you state that it is signed for, i.e.
> published in the DS RRset held in the parent zone. CDS and CDNSKEY
> also publish this but are not used as part of the validation process.
>
> If publish that you are signed for ALG-A and ALG-B and the validator
> only supports ALG-B, then if you don’t sign all the zone with ALG-B
> there will be answers that can’t be validated. The same applies if
> the validator only supports ALG-A and you don’t fully sign the zone
> with ALG-A.
>
> Downgrade attacks are where you support both algorithms but someone
> strips out the signatures from one of the algorithms because they
> have succeeded in breaking the other algorithm. DNSSEC does not
> require that validators detect this condition, though some validators
> can be configured to force checks for every published algorithm that
> you support. If a validator wants to protect itself from downgrade
> attacks it needs to limit itself to only checking RRSIGs for algorithms
> listed in the DS RRset and ensure that all algorithms listed there are
> present in the response and that the signatures are good.
>
> Mark
Thanks again!
cheers,
raf
More information about the bind-users
mailing list