DS record RRSIG

[Josh Kuo]

Tony,

Thank you for that detailed explanation.

On Wed, Jul 3, 2019 at 2:15 AM Tony Finch <dot at dotat.at> wrote:

> Josh Kuo <josh.kuo at gmail.com> wrote:
> >
> > There are 6 DS records total, but only 1 RRSIG. This leads me to believe
> > that the single RRSIG is generated by somehow concatenating all DS
> records
> > together.
>
> Correct.
>
> > This then leads me to believe that the validating resolver needs to
> > process _all_ DS records, not just the ones whose key tag matches the
> > child zone's KSK.
>
> Not quite.
>
> One way to validate a delegation is:
>
> * validate the DS RRset, which is signed using the parent's DNSKEY(s)
>   [ you can see the "com" signer field in the "example.com" RRSIG ]
>
> * get the key tags from the DS RRset (the first field in the records)
>   and the key tags from the child's DNSKEY RRSIG records (between lifetime
>   fields and the signer field) and calculate the key tags of the
>   child's DNSKEY records
>
> * take the intersection of these three sets; these key tags identify keys
>   that the parent says can validate the DNSKEY RRset, and that actually do
>   validate the DNSKEY RRset, and that can be used to validate the DNSKEY
>   RRset
>
> * for each DNSKEY in the set, ensure that there is a DS record that
>   whose digest matches it [ you can skip matching attempts when the key
>   tags do not match ]
>
> * using the public keys and signatures you just identified, try to
>   validate the self-signature on the DNSKEY RRset; if any of the
>   signatures validates, it's all good! [ again the key tags let you
>   skip pointless signature validation attempts ]
>
> There are some extra complications to do with downgrade protection, but
> that's the basic idea.
>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> women and men working together
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190703/e8a911bd/attachment-0001.html>