Well given that the actual rule is all the algorithms listed in the DS RRset rather than DNSKEY RRset and is designed to ensure that there is always a signature present for each of the algorithms that could be used be used to declare that the child zone is treated as secure, the answer is NO.
Mark > On 13 Apr 2019, at 1:05 am, Michael StJohns <m...@nthpermutation.com> wrote: > > Hi - > > I had someone ask me (last night!!) whether or not the "must sign each RRSet > with all of the algorithms in the DNSKEY RRSet" rule applies if the only key > with algorithm A in the RRSet has the revoke bit set. A question I had never > previously considered. > > Given that you can't trace trust through that revoked key, and any RRSig > originated by that key is just extraneous bits, I came to three conclusions: > 1) A key must not be counted for the purposes of the rule if it has the > (RFC5011) revoke bit set, (s) the only RRSigs created by a revoked key are > over the DNSKEY RRSet and 3) it's possible/probable that interpretations > could differ. > > I tagged this email with the algorithm update ID/RFC candidate because about > the only time you're going to see a revoked singleton key of a given > algorithm is when you're transitioning the algorithms for the zone. > > I hesitate to ask - and apologize for asking given the late date for this > document, but should the statements (1) and (2) above or something similar be > included in this document for completeness? > > Alternatively, what breaks if publishers omit the extraneous signatures just > because? > > Later, Mike > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
