KSK signing zone records

Mark Andrews marka at isc.org
Tue Aug 31 04:13:35 UTC 2021


The rules for what get signed by what are per algorithm.  Additionally the
SEP bit is hint to the signer as to what is desired.  Named has controls to
say whether to pay attention to the SEP bit or not.  Additionally it will
override those controls to pay attention to the SEP but if it believes that
the zone won’t be correctly signed if it paid attention to the SEP bit.

People have created zones where one algorithm has keys with and without the SEP
bit for one algorithm but for a second algorithm there are only keys with (without)
the SEP bit.  If the signer has been told to honour the SEP bit then for the first
algorithm it will be honoured and for the second algorithm the instruction will
be overridden.

See dnssec-dnskey-kskonly, update-check-ksk and the keys sub-clause of
dnssec-policy.

> On 31 Aug 2021, at 13:54, Chris Buxton <clists at buxtonfamily.us> wrote:
> 
> I honestly don’t remember the reasoning, only the outcome. Maybe Mark or someone else from ISC can shed some light? I couldn’t find the answer to this regular (but infrequent) question in the ISC KB.
> 
> Regards,
> Chris Buxton
> 
>> On Aug 30, 2021, at 3:40 PM, raf via bind-users <bind-users at lists.isc.org> wrote:
>> 
>> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton <clists at buxtonfamily.us> wrote:
>> 
>>> What algorithm(s) are you using for ZSK and KSK? If they’re not the
>>> same algorithm, then both will be used to sign the entire zone.
>>> 
>>> Regards,
>>> Chris Buxton
>> 
>> Just out of curiosity, why is that?
>> Isn't having the KSK sign the ZSK enough?
>> What difference does the nature of the thing
>> being signed make?
>> 
>> cheers,
>> raf
>> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org



More information about the bind-users mailing list