child KEY RRs in parent zone
lewis at tislabs.com
Wed Mar 22 19:01:25 UTC 2000
At 1:49 PM -0500 3/22/00, Roy Arends wrote:
>RFC 2535, 6.3, states that a KEY RR record of a secured zone may be
>present in the parent zone. If A parent decides not to include the childs
>KEY RR in its zone, how can V8/V9 (dns)signer be instructed to sign the
>childs key (without the key being included in the zone). I think it
>cannot. If that's the case then ehhhh, well ehhhh, what then ?
Historical accidents...when the V8 singer was written, the spec either said
that the parent had to hold the child's keys, or it was read that way. I
am not sure which is the case.
The entire .PARENT file mechanism is an old-BIND accident, not a DNSSEC
protocol requirement. While writing the code, we were aware of the problem
created by .PARENT files, but it was a low priority to fix early on. Then
came the first workshop last year which moved the issue to a "major
Now, what I mean by a "old-BIND accident" is that when BIND (vers 4 & 8)
loads a zone, it wipes out all information already known about the zone.
Ignoring refreshes of a zone (AXFR's and HUPs), this means that if a server
hosts both zone "a." and "b.a.", the cut point in "a." creating "b.a." is
deleted and replaced by the stuff in the new zone.
Until DNSSEC, this wasn't a problem. The records at the upper part of a
cut point deferred to the ones below. The NXT and the SIG (KEY) derived by
the parent changed that. The PARENT mechanism was invented to avoid having
to rewrite db_load's semantics.
Suffice it to say, BIND 9 will not act the same way when loading the child
of a parent-child pair. Thus, the .PARENT file contraption will bite the
>Might this (child key not mandatory for parent zone) be the reason that
>the -p (p1,po,ps,no-p1,no-ps) are not in signer V9, or is it just a beta
Yup - please join us in a round of "Death to the .PARENT file!"
Edward Lewis NAI Labs
Phone: +1 443-259-2352 Email: lewis at tislabs.com
"Trying is the first step to failure." - Homer Simpson
"No! Try not. Do... or do not. There is no try." - Yoda
"It takes years of training to know when to do nothing" - Dogbert 1/21/00
Opinions expressed are property of my evil twin, not my employer.
More information about the bind-users