use*_*904 5 domain-name-system dnssec
我想知道验证解析器如何处理多个 DS 记录。假设我们有一个包含一个 KSK 和一个 ZSK 的区域,但是在一些关键的轮转恶作剧之后,父区域中有两个 DS 记录,一个指向当前的 KSK,一个指向旧的、不再发布的 KSK。
只要 DNSKEY RRset 由父项中至少一个 DS 记录指向的密钥签名,解析器是否会忽略旧的 DS 记录并验证区域?
大多数操作员都希望DS忽略孤儿记录。DS可能DNSKEY会遇到多个RR,其中一个或多个可能与相应的RRset不对齐,这有详细记录。
https://tools.ietf.org/html/rfc4035#section-2.4
2.4. Including DS RRs in a Zone
The DS resource record establishes authentication chains between DNS
zones. A DS RRset SHOULD be present at a delegation point when the
child zone is signed. The DS RRset MAY contain multiple records,
each referencing a public key in the child zone used to verify the
RRSIGs in that zone. All DS RRsets in a zone MUST be signed, and DS
RRsets MUST NOT appear at a zone's apex.
A DS RR SHOULD point to a DNSKEY RR that is present in the child's
apex DNSKEY RRset, and the child's apex DNSKEY RRset SHOULD be signed
by the corresponding private key. DS RRs that fail to meet these
conditions are not useful for validation, but because the DS RR and
its corresponding DNSKEY RR are in different zones, and because the
DNS is only loosely consistent, temporary mismatches can occur.
这确定DS允许多个RR,并且这些 RR 中的每一个SHOULD都由相应的DNSKEYRR签名。虽然遇到孤儿DSRR时的确切行为没有明确说明,但已经确定不匹配可能并且确实发生,并且是可以预料的。
最后,人们可以从承认DNS is only loosely consistent相反的期望是错误的这一事实中得出结论。因此,人们当然可以编写一个验证器实现,将区域作为虚假内容删除,但这样做并没有多大用处。归根结底,要考虑的主要因素是区域是否已签名,以及DSRRset 和已签名 RR之间是否存在有效的加密路径。
https://tools.ietf.org/html/rfc6840#section-5.11
5.11. Mandatory Algorithm Rules
The last paragraph of Section 2.2 of [RFC4035] includes rules
describing which algorithms must be used to sign a zone. Since these
rules have been confusing, they are restated using different language
here:
The DS RRset and DNSKEY RRset are used to signal which algorithms
are used to sign a zone. The presence of an algorithm in either a
zone's DS or DNSKEY RRset signals that that algorithm is used to
sign the entire zone.
A signed zone MUST include a DNSKEY for each algorithm present in
the zone's DS RRset and expected trust anchors for the zone. The
zone MUST also be signed with each algorithm (though not each key)
present in the DNSKEY RRset. It is possible to add algorithms at
the DNSKEY that aren't in the DS record, but not vice versa. If
more than one key of the same algorithm is in the DNSKEY RRset, it
is sufficient to sign each RRset with any subset of these DNSKEYs.
It is acceptable to sign some RRsets with one subset of keys (or
key) and other RRsets with a different subset, so long as at least
one DNSKEY of each algorithm is used to sign each RRset.
Likewise, if there are DS records for multiple keys of the same
algorithm, any subset of those may appear in the DNSKEY RRset.
This requirement applies to servers, not validators. Validators
SHOULD accept any single valid path. They SHOULD NOT insist that all
algorithms signaled in the DS RRset work, and they MUST NOT insist
that all algorithms signaled in the DNSKEY RRset work. A validator
MAY have a configuration option to perform a signature completeness
test to support troubleshooting.
整体画面在这里变得更加清晰;验证不应该在维持治安的所有可能的排列的业务DS和DNSKEY。最重要的细节是是否存在有效路径。
| 归档时间: |
|
| 查看次数: |
1485 次 |
| 最近记录: |