[dnssec-deployment] Signatures on the DNSKEY
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Thu Oct 1 03:43:35 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/01/2009 12:02 AM, Mark Andrews wrote:
> In message <list-18076913 at execdsl.com>, Jakob Schlyter writes:
>> On 30 sep 2009, at 17.41, Edward Lewis wrote:
>>
>>> Should a DNSKEY set with a mixture of SEP and non-SEP keys (flags
>>> 257 and 256) be (actively) signed by any of its non-SEP key(s)?
>>
>> no, the DNSKEY RRset needs to be signed by SEP keys only (including
>> revoked SEP keys only you do 5011). it does not hurt to sign it with
>> non-SEP keys, but there is no benefit, IMHO.
+1.
Only signatures needed for a prepublish rollover are the current KSK and
signatures for revoked keys you want to include.
The reason is that keys with SEP flag (somehow called 'KSKs') are
generated with flags 257 = (Zone_Key | SEP). Thus these *are* zone
signing keys too.
The requirement is to sign every RRset with a key with the Zone Key Flag
of every algorithm in use by the zone. Thus, different Zone Keys can be
used to sign different data. And signing the DNSKEY with only SEP keys
is such a policy. This is thus within 403x spec.
>>> In my opinion, the signature of a non-SEP key over an apex DNSKEY
>>> set is superfluous[0].
>>
>> I agree.
Agree.
>> jakob
>
> It is NOT alway superfluous. I've got senarios where it is required.
> You can't just throw it away. You have to make a decision about
> whether you can safely throw it away or whether you will break
> valdation.
Are these domain-handover scenarios, Mark?
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkrEXacACgkQkDLqNwOhpPgAHwCfYmo0nUpdhSqX7HkKtoWmE0us
gmIAnA3vdoAq2wPK5T3h/Pjl7/J2/c53
=2om/
-----END PGP SIGNATURE-----
More information about the Dnssec-deployment
mailing list