Thank you for the clarification. On Wed, Jul 3, 2019 at 1:49 AM Ondřej Surý <ond...@isc.org> wrote:
> Yes, the whole RRSet is always signed. Signing individual records would > not protect against attacks stripping individual records and their RRSIGs. > > Ondrej > -- > Ondřej Surý > ond...@isc.org > > > On 2 Jul 2019, at 19:34, Josh Kuo <josh....@gmail.com> wrote: > > > > This may not be the right place to ask, if this is a better question > asked in a different list, please let me know. > > > > I am curious as to how BIND generates and processes DS RRSIG, and this > may not be unique to BIND, since I've seen this behavior across multiple > vendors. From the following: > > > > $ dig example.com. DS +dnssec +nocrypto > > > > ; <<>> DiG 9.12.2-P2 <<>> example.com. DS +dnssec +nocrypto > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48102 > > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags: do; udp: 4096 > > ;; QUESTION SECTION: > > ;example.com. IN DS > > > > ;; ANSWER SECTION: > > example.com. 84558 IN DS 43547 8 2 [omitted] > > example.com. 84558 IN DS 31406 8 1 [omitted] > > example.com. 84558 IN DS 31406 8 2 [omitted] > > example.com. 84558 IN DS 31589 8 1 [omitted] > > example.com. 84558 IN DS 31589 8 2 [omitted] > > example.com. 84558 IN DS 43547 8 1 [omitted] > > example.com. 84558 IN RRSIG DS 8 2 86400 20190709042256 > 20190702031256 3800 com. [omitted] > > > > ;; Query time: 228 msec > > ;; SERVER: 10.0.22.1#53(10.0.22.1) > > ;; WHEN: Wed Jul 03 01:27:42 PST 2019 > > ;; MSG SIZE rcvd: 455 > > > > There are 6 DS records total, but only 1 RRSIG. This leads me to believe > that the single RRSIG is generated by somehow concatenating all DS records > together. This then leads me to believe that the validating resolver needs > to process _all_ DS records, not just the ones whose key tag matches the > child zone's KSK. Is this true? It seems like a small overhead in the grand > scheme of things, but that seems inefficient, if multiple DS records are > left at the parent zone after a couple of key rollovers. > > > > Any information on this would be appreciated. > > > > -Josh > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users