This may not be the right place to ask, if this is a better question asked
in a different list, please let me know.
I am curious as to how BIND generates and processes DS RRSIG, and this may
not be unique to BIND, since I've seen this behavior across multiple
vendors. From the following:
$ dig ex
Yes, the whole RRSet is always signed. Signing individual records would not
protect against attacks stripping individual records and their RRSIGs.
Ondrej
--
Ondřej Surý
ond...@isc.org
> On 2 Jul 2019, at 19:34, Josh Kuo wrote:
>
> This may not be the right place to ask, if this is a better qu
Thank you for the clarification.
On Wed, Jul 3, 2019 at 1:49 AM Ondřej Surý wrote:
> Yes, the whole RRSet is always signed. Signing individual records would
> not protect against attacks stripping individual records and their RRSIGs.
>
> Ondrej
> --
> Ondřej Surý
> ond...@isc.org
>
> > On 2 Jul
Josh Kuo wrote:
>
> There are 6 DS records total, but only 1 RRSIG. This leads me to believe
> that the single RRSIG is generated by somehow concatenating all DS records
> together.
Correct.
> This then leads me to believe that the validating resolver needs to
> process _all_ DS records, not jus
Tony,
Thank you for that detailed explanation.
On Wed, Jul 3, 2019 at 2:15 AM Tony Finch wrote:
> Josh Kuo wrote:
> >
> > There are 6 DS records total, but only 1 RRSIG. This leads me to believe
> > that the single RRSIG is generated by somehow concatenating all DS
> records
> > together.
>
>
5 matches
Mail list logo
