DS record RRSIG
Josh Kuo
josh.kuo at gmail.com
Tue Jul 2 19:00:03 UTC 2019
Tony,
Thank you for that detailed explanation.
On Wed, Jul 3, 2019 at 2:15 AM Tony Finch <dot at dotat.at> wrote:
> Josh Kuo <josh.kuo at gmail.com> wrote:
> >
> > There are 6 DS records total, but only 1 RRSIG. This leads me to believe
> > that the single RRSIG is generated by somehow concatenating all DS
> records
> > together.
>
> Correct.
>
> > This then leads me to believe that the validating resolver needs to
> > process _all_ DS records, not just the ones whose key tag matches the
> > child zone's KSK.
>
> Not quite.
>
> One way to validate a delegation is:
>
> * validate the DS RRset, which is signed using the parent's DNSKEY(s)
> [ you can see the "com" signer field in the "example.com" RRSIG ]
>
> * get the key tags from the DS RRset (the first field in the records)
> and the key tags from the child's DNSKEY RRSIG records (between lifetime
> fields and the signer field) and calculate the key tags of the
> child's DNSKEY records
>
> * take the intersection of these three sets; these key tags identify keys
> that the parent says can validate the DNSKEY RRset, and that actually do
> validate the DNSKEY RRset, and that can be used to validate the DNSKEY
> RRset
>
> * for each DNSKEY in the set, ensure that there is a DS record that
> whose digest matches it [ you can skip matching attempts when the key
> tags do not match ]
>
> * using the public keys and signatures you just identified, try to
> validate the self-signature on the DNSKEY RRset; if any of the
> signatures validates, it's all good! [ again the key tags let you
> skip pointless signature validation attempts ]
>
> There are some extra complications to do with downgrade protection, but
> that's the basic idea.
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> women and men working together
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190703/e8a911bd/attachment-0001.html>
More information about the bind-users
mailing list