[Yeti DNS Discuss] 答复: Multiple ZSK experiment (MZSK) launching today

Shane Kerr shane at biigroup.cn
Mon Feb 22 14:51:56 UTC 2016


Davey,

tl;dr We should probably only sign the DNSKEY RRset with the KSK.

More words:

I think that having consistent signing makes sense.

Stephane pointed out that there seems to be no clear advice on this or
even any real discussion.

My own thinking.

Positive:

- Signing the DNSKEY with the KSK and ZSK proves that the ZSK holder
  authenticates the DNSKEY RRSET.

Negative:

- Signing the DNSKEY with KSK and ZSK makes the response bigger, which
  is generally bad.

- No software checks this proof and it is not clear what such a proof
  means in terms of authenticated data sets.

To me this seems to indicate that only having the DNSKEY RRset signed
with the KSK makes more sense, although weakly so.

Other opinions?

Cheers,

--
Shane

On 2016-02-22 14:03:00+0800 (Monday)
Davey Song(宋林健) <ljsong at biigroup.cn> wrote:

> Currently BII and WIDE only use KSK to sign the dnskey. But TISF use zsk
> sign dnskey as well. I think that is the difference. Should DMs use the
> unified way for key signing process?
> 
> Davey
> 
> -----邮件原件-----
> 发件人: discuss [mailto:discuss-bounces at lists.yeti-dns.org] 代表 Stephane
> Bortzmeyer
> 发送时间: 2016年2月21日 0:20
> 收件人: dbgong
> 抄送: discuss
> 主题: Re: [Yeti DNS Discuss] Multiple ZSK experiment (MZSK) launching today
> 
> On Fri, Feb 19, 2016 at 05:43:52PM +0800,  dbgong <dbgong at biigroup.cn> wrote
> a message of 144 lines which said:
> 
> > The response message size is 1471(include 6 zsks, 1 KSK, and 1 RRSIG).
> 
> A bit more for me (there are two signatures):
> 
> % dig DNSKEY .
> 
> ; <<>> DiG 9.10.3-P3 <<>> DNSKEY .
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12935 ;; flags: qr rd ra
> ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION:
> ;.			IN DNSKEY
> 
> ...
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Sat Feb 20 16:11:53 UTC 2016
> ;; MSG SIZE  rcvd: 1629
> _______________________________________________
> discuss mailing list
> discuss at lists.yeti-dns.org
> http://lists.yeti-dns.org/mailman/listinfo/discuss
> 
> 
> 
> _______________________________________________
> discuss mailing list
> discuss at lists.yeti-dns.org
> http://lists.yeti-dns.org/mailman/listinfo/discuss



More information about the discuss mailing list