This may not be the right place to ask, if this is a better question asked in a different list, please let me know.
I am curious as to how BIND generates and processes DS RRSIG, and this may not be unique to BIND, since I've seen this behavior across multiple vendors. From the following: $ dig example.com. DS +dnssec +nocrypto ; <<>> DiG 9.12.2-P2 <<>> example.com. DS +dnssec +nocrypto ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48102 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;example.com. IN DS ;; ANSWER SECTION: example.com. 84558 IN DS 43547 8 2 [omitted] example.com. 84558 IN DS 31406 8 1 [omitted] example.com. 84558 IN DS 31406 8 2 [omitted] example.com. 84558 IN DS 31589 8 1 [omitted] example.com. 84558 IN DS 31589 8 2 [omitted] example.com. 84558 IN DS 43547 8 1 [omitted] example.com. 84558 IN RRSIG DS 8 2 86400 20190709042256 20190702031256 3800 com. [omitted] ;; Query time: 228 msec ;; SERVER: 10.0.22.1#53(10.0.22.1) ;; WHEN: Wed Jul 03 01:27:42 PST 2019 ;; MSG SIZE rcvd: 455 There are 6 DS records total, but only 1 RRSIG. This leads me to believe that the single RRSIG is generated by somehow concatenating all DS records together. This then leads me to believe that the validating resolver needs to process _all_ DS records, not just the ones whose key tag matches the child zone's KSK. Is this true? It seems like a small overhead in the grand scheme of things, but that seems inefficient, if multiple DS records are left at the parent zone after a couple of key rollovers. Any information on this would be appreciated. -Josh
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
