Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

DNS DHCP IPAM

Reply
Highlighted
Accepted Solution

DNSSEC- Root zone has 3 DNSKEY RRs but only one RRSIG

Guru
Posts: 188
6689     0

Hi;

 

when I do a dig "dig . dnskey +dnssec", I get 3 DNSKEY records "KSK and two ZSKs". However, only one RRSIG is in the query response.

 

The RRSIG is only signing the KSK but non of the two ZSKs have an associated RRSIG.

 

My question is: shouldn't each of the 3 DNSKEY records have an associated RRSIG?

 

 

Kindly

Wasfi

Highlighted

Re: DNSSEC- Root zone has 3 DNSKEY RRs but only one RRSIG

Expert
Posts: 42
6690     0

q: shouldn't each of the 3 DNSKEY records have an associated RRSIG?

 

No, it is not mandatory. The RRSIG is a signature for a SET of the same Name and Records Type, like in this case the DNSKEY.

 

Actually by default BIND 9 will create a RRSIG for every DNSKEY which can be overridden with the statement:

"dnssec-dnskey-kskonly yes;"

in the named.conf.

 

 

More Info:

 

dnssec-dnskey-kskonly When this option and update-check-ksk are both set to yes, only key-signing keys (that is, keys with the KSK bit set) will be used to sign the DNSKEY RRset at the zone apex. Zone-signing keys (keys without the KSK bit set) will be used to sign the remainder of the zone, but not the DNSKEY RRset. This is similar to the dnssec-signzone -x command line option. The default is no.

 

 

References:

 

1.

https://www.ietf.org/rfc/rfc4034.txt

.

3.  The RRSIG Resource Record

   DNSSEC uses public key cryptography to sign and authenticate DNS
   resource record sets (RRsets). 

 2. https://lists.isc.org/pipermail/bind-users/2012-December/089358.html

 

3. https://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.pdf

Highlighted

Re: DNSSEC- Root zone has 3 DNSKEY RRs but only one RRSIG

Guru
Posts: 188
6690     0

Thank you MPL. That makes things very clear.

 

Kindly

Wasfi

 

 

Highlighted

Re: DNSSEC- Root zone has 3 DNSKEY RRs but only one RRSIG

Techie
Posts: 1
6690     0

(somewhat late, but new to this forum)

 

A bit of misunderstanding, I'm afraid.

 

So, you saw 3 DNSKEY RRs, but only one RRSIG :

RRSIG always apply to the complete RRset !

So, the RRSIG you saw is not for one particular DNSKEY.

It is for *all* DNSKEY records.

 

Why only one RRSIG, and not three (or two) ?

There are Zone Signing Keys (ZSK) and Key Signing Keys (KSK).

A ZSK has holds a value 256 (you've seen two of those);

a KSK holds a value 257 (you've seen one - at this moment there are two, KSK rollover has begun).

 

A ZSK signs every RRset in the zone file.
So it would be logical to see RRSIGs created with (at least) one ZSK.

But RRSIG validation of the DNSKEY RRset does *not* happen via the signature generated via a ZSK !

The option pointed to in the first answer indicates Infoblox can suppress generating/publishing
RRSIGs of DNSKEY RRset, generated from a ZSK.

(so the option has nothing to do with what you see in the root zone,
 but with what Infoblox itself publishes in DNSSEC enabled domains)

 

Validation of the RRSIG of the DNSKEY RRset happens via a/the RRSIG generated from a/the KSK's.

When you saw 2 ZSK's and 1 KSK, the associated RRSIG had been generated with the KSK (private part).

 

At this moment there are 2 KSK's, but still only 1 RRSIG.

That RRSIG was created with the oldest KSK (id == 19036).

As the admin of the root zone performs "prepublish" key rollovers, and not "double sign",
the new KSK (id == 20326) is merely published, not yet for signing.

 

One can see keyid's with the option +multiline : dig . dnskey +dnssec +multiline

Or more visual via http://dnsviz.net/d/root/dnssec/

 

Kind regards,

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You

Demo: Infoblox IPAM plug-in integration with OpenStack Newton