dnssec-verify and dnssec-dnskey-kskonly

Wed Aug 15 10:41:32 UTC 2012

Playing around with dnssec-verify:

$ dig axfr dotat.at | dnssec-verify -o dotat.at /dev/stdin
Loading zone 'dotat.at' from file '/dev/stdin'
Verifying the zone using the following algorithms: RSASHA1.
Zone fully signed:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                    ZSKs: 1 active, 0 stand-by, 0 revoked

OK. But the manual says:

       -x
           Only verify that the DNSKEY RRset is signed with key-signing keys.
           Without this flag, it is assumed that the DNSKEY RRset will be
           signed by all active keys. When this flag is set, it will not be an
           error if the DNSKEY RRset is not signed by zone-signing keys. This
           corresponds to the -x option in dnssec-signzone.

And my zone has only one RRSIG on its DNSKEY RRset:

; <<>> DiG 9.9.2b1 <<>> +dnssec +multiline dnskey dotat.at
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4260
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dotat.at.              IN DNSKEY

;; ANSWER SECTION:
dotat.at.               3600 IN DNSKEY 256 3 5 (
                                AwEAAczBisQAJbGom5SzZHxr7j/ddJBsoxuchn4Ki+Xl
                                NASArKXs46UbXWbXZitymfv4F6wkY8mEErgEs4qil5Im
                                p9zv7qmSpHJEFOSrgEP+XYyD6duCw57uvXYBv5mV2ulr
                                wrbEHfcZmu1gYb9UDhTi4j7dBExUkNW2qSV5H4/kzCT/
                                ) ; ZSK; alg = RSASHA1; key id = 56700
dotat.at.               3600 IN DNSKEY 257 3 5 (
                                AwEAAZfTCuV4JYWU/COTmC6N37hek+RsIHLZ484GGO4O
                                hGNpBYIIlcT+wubBD4VPyjmALVny0lV3nUVle9PrPHJC
                                4q02uJnoRi+NPAJ9eAVlBGkvJ75l0TgaSgCV+xtR69VM
                                xomC1B00pBZHzfnY3Ig4OhrH6YoaezgQ4eyNkzg3fWVi
                                SQvjosTZmuwwhnNfWu9bKQiM/WSRHLFiNBjB/H/YtjM1
                                It0dQaLDRiZMX2/dFZw0YewdHei46NjCXarNe/CwiTw7
                                +g3zPyGmDPSVFNr+INvdMDqyVRroHkZ8Ky+kPL4lLz9E
                                oG1PcCzq7YjBr+JY6Hq7CjLbZZFw1wY0jKISoKk=
                                ) ; KSK; alg = RSASHA1; key id = 5677
dotat.at.               3600 IN RRSIG DNSKEY 5 2 3600 (
                                20120831190247 20120801184840 5677 dotat.at.
                                EPDmmG99GNcPHRzMK7fbkWOpE7P+hbyNbCcpi9hYmwq9
                                GUNqmHI1VK3xNl4YiB6ARUtVuGqKi45SGltFlBKBh+KW
                                i6NA+U7IXniKXnztUJqo7QSAWVdcZrRVcEpNE7MdPUeT
                                lyijL9ytXfFV/q1398o00KErc7OGZ+rlRhQQZAX0SiU6
                                UV4C/ecA581j231rfSGb9ttGhqFK7lPNkv33B2jyc7uU
                                qxm7Ra5WSWnfudPeBlhg3YcqCwoefwA0a7QviqR3VKjM
                                Ak1pr4EH9KX5H2TFSP4EazJTqIuRvbGWH5TVuHMaH/cm
                                rI7gCUkIOxPKWYgIhwnjSMp5E/mjMfoOmA== )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 15 11:38:10 2012
;; MSG SIZE  rcvd: 757

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Viking, North Utsire, South Utsire: Southeasterly 4 or 5, occasionally 6 later
except in North Utsire. Slight or moderate. Showers. Moderate or good.