[Opendnssec-user] DNSKEY RRset signing with ZSK

[Paul Wouters]

On Wed, 12 Sep 2012, Rick van Rein wrote:

>> I'm looking at telling opendnssec to sign the DNSKEY RRset with both the
>> ZSK and KSK.
>
> Interesting -- what would be the use of such a configuration?
>
> It would introduce more signatures, and so more things to check (overhead,
> delays) to the DNSKEY RRset, without introducing additional validation
> paths because the KSK is the mechanism to validate DNSKEY RRsets.
>
> Moreover, it could trigger concealed bugs -- for instance, a ZSK following
> a different algorithm than the KSK could influence the set of algorithms
> that is required by a validating resolver (presumably due to bugs) as a
> result of doing something so unconventional.
>
> I'm curious about your usage pattern that would make this a necessity?

The reason I noticed is because I'm signing a zone with bind and
opendnssec, then zero out the RRSIGs and compare the zones. This way
a bug in either bind or opendnssec would be spotted before a zone
is pushed live. The test fails because of the additional RRSIG.

I don't care much either way. I think resolvers all work with the ZSK
not signing the DNSKEY RRset.

Amusingly enough, bind's dnssec-signzone has a -x option to disable
the ZSK RRSIG over the DNSKEY RRset, but it seems to not work at all.

So I have two implementations that I can't seem to configure to act
the same, regardless of which of the two options would actually have
been preferred.

Paul