Re: [DNSOP] On obsoleting DNSSEC RFCs; Example from RFC 4035 (2)

Viktor Dukhovni <> Mon, 11 November 2019 20:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 93B0B120825 for <>; Mon, 11 Nov 2019 12:48:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id khGz3iHQV-E9 for <>; Mon, 11 Nov 2019 12:48:01 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EA233120019 for <>; Mon, 11 Nov 2019 12:47:59 -0800 (PST)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 1CCD332ACD6 for <>; Mon, 11 Nov 2019 15:47:59 -0500 (EST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <>
In-Reply-To: <>
Date: Mon, 11 Nov 2019 15:47:58 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [DNSOP] On obsoleting DNSSEC RFCs; Example from RFC 4035 (2)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Nov 2019 20:48:03 -0000

> On Nov 11, 2019, at 2:39 PM, Дилян Палаузов <> wrote:
> Does it make sense to generate RRSIG for the ZSK and why 1/3 of the DNSSEC
> enabled sites [sample size of 3], maintaining DNSSEC enabled DNS servers do it?

While it makes sense to keep DNS RRsets as small as possible,
to avoid UDP fragmentation issues, there is no prior restraint
on signing the DNSKEY RRset also with the ZSKs.

Therefore, while avoiding redundant signatures can be seen as
a best-practice it is not presently a requirement.

If you're looking for guidance on whether your DNSKEY RRsets
should be signed also with the ZSKs, the answer is generally

You're typically better off signing them with just the KSKs
(keys with the SEP bit set in their flags), provided it is
these same KSKs that match the DS RRs in the parent zone.

IIRC the SEP bit in the key flags is only a hint (generally
valid) that the key is (was, or is intended to be in the
future) one of the ones matching a DS RRset at the parent.
Ultimately, one or more key matching the DS RRs signs the
DNSKEY RRset, and one or more keys that appear in the DNSKEY
RRset sign the rest of the RRsets.

Algorithm agility means that validators may ignore some
weaker algorithms or keys in the presence of stronger
algorithms, which may necessitate signing with more than
one key in some cases, to accommodate both validators
that prefer stronger keys and validators that don't yet
support the stronger keys.

The rule of thumb is that each key algorithm that appears
in the DNSKEY RRset, should also be used to sign each RRset
with at least one key of that type.

Thus, for example, when removing a signing algorithm, one
should first remove the DS RR, then the KSK and finally the
ZSK.  When adding a new algorithm, first add a ZSK, then a
corresponding KSK, and finally the DS.  In both cases with
various delays in between to allow updated records to displace
stale cached data.

I should perhaps also note that recently many zones employing
ECDSA P-256 (algorithm 13) have dispensed with having a separate
KSK and ZSK and use the KSK also for zone signing.  Their DNSKEY
RRset has just one key.  With RSA one generally wants a 2048-bit
"long-term" KSK and a shorter (1280-bit perhaps) ZSK that should
be rotated more frequently.  A 2048-bit ZSK would result in NSEC
and especially NSEC3 response sizes that exceed recommended UDP
response size limits.

KSK == ZSK is a valid choice for ECDSA P-256 that also keeps
the DNSKEY RRset reasonably small.

The single KSK == ZSK count is quite visible in my DNSSEC survey:

    * 3477400 algorithm 13 "KSKs" ((flags & 257) == 257)
    * 2016046 algorithm 13 "ZKSs" ((flags & 257) == 256)

The 1.46 million domain discrepancy is domains with just one key.