Tony, Thank you for that detailed explanation.
On Wed, Jul 3, 2019 at 2:15 AM Tony Finch <d...@dotat.at> wrote: > Josh Kuo <josh....@gmail.com> wrote: > > > > There are 6 DS records total, but only 1 RRSIG. This leads me to believe > > that the single RRSIG is generated by somehow concatenating all DS > records > > together. > > Correct. > > > This then leads me to believe that the validating resolver needs to > > process _all_ DS records, not just the ones whose key tag matches the > > child zone's KSK. > > Not quite. > > One way to validate a delegation is: > > * validate the DS RRset, which is signed using the parent's DNSKEY(s) > [ you can see the "com" signer field in the "example.com" RRSIG ] > > * get the key tags from the DS RRset (the first field in the records) > and the key tags from the child's DNSKEY RRSIG records (between lifetime > fields and the signer field) and calculate the key tags of the > child's DNSKEY records > > * take the intersection of these three sets; these key tags identify keys > that the parent says can validate the DNSKEY RRset, and that actually do > validate the DNSKEY RRset, and that can be used to validate the DNSKEY > RRset > > * for each DNSKEY in the set, ensure that there is a DS record that > whose digest matches it [ you can skip matching attempts when the key > tags do not match ] > > * using the public keys and signatures you just identified, try to > validate the self-signature on the DNSKEY RRset; if any of the > signatures validates, it's all good! [ again the key tags let you > skip pointless signature validation attempts ] > > There are some extra complications to do with downgrade protection, but > that's the basic idea. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > women and men working together >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
