KSK signing zone records

Mark Andrews marka at isc.org
Thu Sep 2 01:15:32 UTC 2021 

The primary reason that it is per algorithm is that validators and
signers are not required to support the same sets of algorithms and
if you want validation to work for everyone the zone has to be fully
signed for each algorithm that you state that it is signed for, i.e.
published in the DS RRset held in the parent zone.  CDS and CDNSKEY
also publish this but are not used as part of the validation process.

If publish that you are signed for ALG-A and ALG-B and the validator
only supports ALG-B, then if you don’t sign all the zone with ALG-B
there will be answers that can’t be validated.  The same applies if
the validator only supports ALG-A and you don’t fully sign the zone
with ALG-A.

Downgrade attacks are where you support both algorithms but someone
strips out the signatures from one of the algorithms because they
have succeeded in breaking the other algorithm.  DNSSEC does not
require that validators detect this condition, though some validators
can be configured to force checks for every published algorithm that
you support. If a validator wants to protect itself from downgrade
attacks it needs to limit itself to only checking RRSIGs for algorithms
listed in the DS RRset and ensure that all algorithms listed there are
present in the response and that the signatures are good.

Mark 

> On 2 Sep 2021, at 09:30, raf via bind-users <bind-users at lists.isc.org> wrote:
> 
> On Wed, Sep 01, 2021 at 03:04:56PM +0100, Tony Finch <dot at dotat.at> wrote:
> 
>> raf via bind-users <bind-users at lists.isc.org> wrote:
>>> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton <clists at buxtonfamily.us> wrote:
>>> 
>>>> What algorithm(s) are you using for ZSK and KSK? If they’re not the
>>>> same algorithm, then both will be used to sign the entire zone.
>>> 
>>> Just out of curiosity, why is that?
>>> Isn't having the KSK sign the ZSK enough?
>> 
>> As well as what Mark said, the reason signing is per-algorithm is to do
>> with downgrade protection: if there's a situation where validators support
>> different algorithms (e.g. some have deprecated a bad algorithm but some
>> have not yet deployed its replacement) then a signer can support all the
>> validators by signing with both algorithms, without causing problems for
>> the newer validators that want to distrust the old algorithm. A validator
>> can decide whether a zone is secure or not based purely on the algorithms
>> listed in its DS RRset.
>> 
>> Tony.
>> -- 
>> f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
>> Northwest Bailey: Southwesterly 3 to 5. Slight. Showers. Good.
> 
> Thanks.
> 
> cheers,
> raf
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list