I'm about to implement algorithm rollover according to section 4.1.5
of rfc4641bis into our homegrown DNSSEC key management system. In the
step named "new RRSIGs", the zone is supposed to include the signature
of DNSKEY_K_2 over the DNSKEY RRset containing DNSKEY_Z_1 and
DNSKEY_K_1. The explanation for this is given as
new RRSIGs: The signatures made with the new key over all records in
the zone are added, but the key itself is not. This includes the
signature for the DNSKEY RRset. While in theory, the signatures
of the keyset should always be synchronized with the keyset
itself, it can be possible that RRSIGS are requested separately,
so it is prudent to also sign the DNSKEY set with the new
signature.
[Editorial: the last sentence should read "...to also sign the DNSKEY
set with the new key"]
I don't understand which corner case this is supposed to cover. The
relevant section of RFC4035 quoted in the draft says
There MUST be an RRSIG for each RRset using at least one DNSKEY of
each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset
itself MUST be signed by each algorithm appearing in the DS RRset
located at the delegating parent (if any).
My understanding of this is that there is no requirement for the
existence of the signature over the DNSKEY RRset by K_2 until the end
of the step "new DNSKEY", because up to that point, the DS doesn't
refer to algorithm 2 yet.
The same reasoning appears to me to apply to the step "DNSKEY
removal". At that point, the DS record refers only to algorithm 2 and
the old DS record has expired. Therefore, RRSIG_K_1(DNSKEY) should not
be needed either.
What am I missing?
--
Alex
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
