On Nov 8, 2010, at 11:41 PM, Jelte Jansen wrote: > On 11/09/2010 02:33 AM, Roy Arends wrote: >>>> 4.2.1 KSK Compromise (2nd paragraph) >>>> A compromised KSK used by an attacker can also sign data in the zone other >>>> than the key set. An attacker does not need to follow the definitions of >>>> KSK vs ZSK. >>> >>> I wonder how different implementations handle this case...... >> >> I have tested chains of trust (with BIND9 and unbound) in the past and >> noticed that its validity did not depend on the SEP bit being clear or set. >> > > If they did, they would not follow the spec ;) > > A SEP key can be a ZSK too. The only value of the SEP flag is for operators > and/or tools, validators should ignore it. > > Whether or not a key is a ZSK, a KSK, or both, is, from the validator's point > of view, defined by whichever signatures you see. So yes, if you can make > arbitrary signatures with a compromised key, you can 'change' its KSK/ZSK > status, and no validator should be able to notice. But well, you can make > arbitrary signatures anyway...
That is exactly what I meant. Apologies if that wasn't clear. When I tested this, I tested with all possible combos in a single chain: all zsk, all ksk, combinations of both, etc. Roy _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
