Yes, the whole RRSet is always signed. Signing individual records would not protect against attacks stripping individual records and their RRSIGs.
Ondrej -- Ondřej Surý ond...@isc.org > On 2 Jul 2019, at 19:34, Josh Kuo <josh....@gmail.com> wrote: > > This may not be the right place to ask, if this is a better question asked in > a different list, please let me know. > > I am curious as to how BIND generates and processes DS RRSIG, and this may > not be unique to BIND, since I've seen this behavior across multiple vendors. > From the following: > > $ dig example.com. DS +dnssec +nocrypto > > ; <<>> DiG 9.12.2-P2 <<>> example.com. DS +dnssec +nocrypto > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48102 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;example.com. IN DS > > ;; ANSWER SECTION: > example.com. 84558 IN DS 43547 8 2 [omitted] > example.com. 84558 IN DS 31406 8 1 [omitted] > example.com. 84558 IN DS 31406 8 2 [omitted] > example.com. 84558 IN DS 31589 8 1 [omitted] > example.com. 84558 IN DS 31589 8 2 [omitted] > example.com. 84558 IN DS 43547 8 1 [omitted] > example.com. 84558 IN RRSIG DS 8 2 86400 20190709042256 > 20190702031256 3800 com. [omitted] > > ;; Query time: 228 msec > ;; SERVER: 10.0.22.1#53(10.0.22.1) > ;; WHEN: Wed Jul 03 01:27:42 PST 2019 > ;; MSG SIZE rcvd: 455 > > There are 6 DS records total, but only 1 RRSIG. This leads me to believe that > the single RRSIG is generated by somehow concatenating all DS records > together. This then leads me to believe that the validating resolver needs to > process _all_ DS records, not just the ones whose key tag matches the child > zone's KSK. Is this true? It seems like a small overhead in the grand scheme > of things, but that seems inefficient, if multiple DS records are left at the > parent zone after a couple of key rollovers. > > Any information on this would be appreciated. > > -Josh > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
