[dnssec-deployment] Signatures on the DNSKEY
wouter at NLnetLabs.nl
Thu Oct 1 03:43:35 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
On 10/01/2009 12:02 AM, Mark Andrews wrote:
> In message <list-18076913 at execdsl.com>, Jakob Schlyter writes:
>> On 30 sep 2009, at 17.41, Edward Lewis wrote:
>>> Should a DNSKEY set with a mixture of SEP and non-SEP keys (flags
>>> 257 and 256) be (actively) signed by any of its non-SEP key(s)?
>> no, the DNSKEY RRset needs to be signed by SEP keys only (including
>> revoked SEP keys only you do 5011). it does not hurt to sign it with
>> non-SEP keys, but there is no benefit, IMHO.
Only signatures needed for a prepublish rollover are the current KSK and
signatures for revoked keys you want to include.
The reason is that keys with SEP flag (somehow called 'KSKs') are
generated with flags 257 = (Zone_Key | SEP). Thus these *are* zone
signing keys too.
The requirement is to sign every RRset with a key with the Zone Key Flag
of every algorithm in use by the zone. Thus, different Zone Keys can be
used to sign different data. And signing the DNSKEY with only SEP keys
is such a policy. This is thus within 403x spec.
>>> In my opinion, the signature of a non-SEP key over an apex DNSKEY
>>> set is superfluous.
>> I agree.
> It is NOT alway superfluous. I've got senarios where it is required.
> You can't just throw it away. You have to make a decision about
> whether you can safely throw it away or whether you will break
Are these domain-handover scenarios, Mark?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Dnssec-deployment