03-30-2017 09:41 AM
when I do a dig "dig . dnskey +dnssec", I get 3 DNSKEY records "KSK and two ZSKs". However, only one RRSIG is in the query response.
The RRSIG is only signing the KSK but non of the two ZSKs have an associated RRSIG.
My question is: shouldn't each of the 3 DNSKEY records have an associated RRSIG?
Solved! Go to Solution.
03-30-2017 10:19 AM
q: shouldn't each of the 3 DNSKEY records have an associated RRSIG?
No, it is not mandatory. The RRSIG is a signature for a SET of the same Name and Records Type, like in this case the DNSKEY.
Actually by default BIND 9 will create a RRSIG for every DNSKEY which can be overridden with the statement:
in the named.conf.
dnssec-dnskey-kskonly When this option and update-check-ksk are both set to yes, only key-signing keys (that is, keys with the KSK bit set) will be used to sign the DNSKEY RRset at the zone apex. Zone-signing keys (keys without the KSK bit set) will be used to sign the remainder of the zone, but not the DNSKEY RRset. This is similar to the dnssec-signzone -x command line option. The default is no.
3. The RRSIG Resource Record DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets).
07-14-2017 07:25 AM
(somewhat late, but new to this forum)
A bit of misunderstanding, I'm afraid.
So, you saw 3 DNSKEY RRs, but only one RRSIG :
RRSIG always apply to the complete RRset !
So, the RRSIG you saw is not for one particular DNSKEY.
It is for *all* DNSKEY records.
Why only one RRSIG, and not three (or two) ?
There are Zone Signing Keys (ZSK) and Key Signing Keys (KSK).
A ZSK has holds a value 256 (you've seen two of those);
a KSK holds a value 257 (you've seen one - at this moment there are two, KSK rollover has begun).
A ZSK signs every RRset in the zone file.
So it would be logical to see RRSIGs created with (at least) one ZSK.
But RRSIG validation of the DNSKEY RRset does *not* happen via the signature generated via a ZSK !
The option pointed to in the first answer indicates Infoblox can suppress generating/publishing
RRSIGs of DNSKEY RRset, generated from a ZSK.
(so the option has nothing to do with what you see in the root zone,
but with what Infoblox itself publishes in DNSSEC enabled domains)
Validation of the RRSIG of the DNSKEY RRset happens via a/the RRSIG generated from a/the KSK's.
When you saw 2 ZSK's and 1 KSK, the associated RRSIG had been generated with the KSK (private part).
At this moment there are 2 KSK's, but still only 1 RRSIG.
That RRSIG was created with the oldest KSK (id == 19036).
As the admin of the root zone performs "prepublish" key rollovers, and not "double sign",
the new KSK (id == 20326) is merely published, not yet for signing.
One can see keyid's with the option +multiline : dig . dnskey +dnssec +multiline
Or more visual via http://dnsviz.net/d/root/dnssec/