Josh Kuo <josh....@gmail.com> wrote: > > There are 6 DS records total, but only 1 RRSIG. This leads me to believe > that the single RRSIG is generated by somehow concatenating all DS records > together.
Correct. > This then leads me to believe that the validating resolver needs to > process _all_ DS records, not just the ones whose key tag matches the > child zone's KSK. Not quite. One way to validate a delegation is: * validate the DS RRset, which is signed using the parent's DNSKEY(s) [ you can see the "com" signer field in the "example.com" RRSIG ] * get the key tags from the DS RRset (the first field in the records) and the key tags from the child's DNSKEY RRSIG records (between lifetime fields and the signer field) and calculate the key tags of the child's DNSKEY records * take the intersection of these three sets; these key tags identify keys that the parent says can validate the DNSKEY RRset, and that actually do validate the DNSKEY RRset, and that can be used to validate the DNSKEY RRset * for each DNSKEY in the set, ensure that there is a DS record that whose digest matches it [ you can skip matching attempts when the key tags do not match ] * using the public keys and signatures you just identified, try to validate the self-signature on the DNSKEY RRset; if any of the signatures validates, it's all good! [ again the key tags let you skip pointless signature validation attempts ] There are some extra complications to do with downgrade protection, but that's the basic idea. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ women and men working together _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
