[DNSOP] On obsoleting DNSSEC RFCs; Example from RFC 4035

Дилян Палаузов <dilyan.palauzov@aegee.org> Mon, 11 November 2019 19:09 UTC

Return-Path: <dilyan.palauzov@aegee.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1A37A120C09 for <dnsop@ietfa.amsl.com>; Mon, 11 Nov 2019 11:09:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Nb1fv9l-syOw for <dnsop@ietfa.amsl.com>; Mon, 11 Nov 2019 11:09:00 -0800 (PST)
Received: from mail.aegee.org (mail.aegee.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27D4F120C0B for <dnsop@ietf.org>; Mon, 11 Nov 2019 11:08:26 -0800 (PST)
Authentication-Results: mail.aegee.org/xABJ7vrq007989; auth=pass (LOGIN) smtp.auth=didopalauzov
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1573499300; i=dkim+MSA-tls@aegee.org; bh=CwZ+AXMjjOgZ7OFxhZsKWb7Ez8pc9aZc7lminkzD76A=; h=Subject:From:To:Date; b=MoNdjca38i0SqGMSqJh3z9TakMDOeUm7d1cbWDimLyS0acwkRqUAcP6RLEhafIkHi p9dQsa2fpdbRw/iNQvX/LIwHw9/LE6vxSO7XuakUEja9CK3gROyyXBv/IieCD9+DUd 6K+0Unij8y7KyuFpdPBuoDZFfRWUy4ysFO0mSeDW0957ngI2nKe/e+WJgdm5guYflX 4rLsdsJsuUSlxFUtlhV/ugnUyGVOHkvpECsIVtY7DUmO0v7j4+u8aHH8K+FsODOe4h E91hhZwO+Mp0MF2KNu1hSxQsqywN16/GpX8K3h8rNdo55ASH1MGizZdcWTo1WUfI+1 6ObfldrC8uJ+8MOMq7UVH/6FSC0E5FNHQDjkafSMy0tHxGHw3AHfMTpvebzt9ZZPih 4ZBugWff8JQ/3l7kK13a4TJCkBn0spltXQPcklIr5q5FEJOuP2AuZzgCfQ/La+lzFt m6MJEy2luPX1UwYn57GYM31UzKsvi0HVctk6CGXuu+OvLErxDqX8OxDR/2yQs9onR3 F5MgGPUyktD2ztF7W4oH7Hbhe/D/vL/H8rvqaY5+UolQd4VDuvALLerwC8emXJNHbE oDyv2vOa52A5xIUYFW/jCZH8oK18fkEeoia81tK5f36JIuC19zb9frqrtERD630mWl i9F4mvSlnra7BlM5jK3m6lgQ=
Authentication-Results: mail.aegee.org/xABJ7vrq007989; dkim=none
Received: from Tylan (87-118-146-153.ip.btc-net.bg []) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id xABJ7vrq007989 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for <dnsop@ietf.org>; Mon, 11 Nov 2019 19:08:16 GMT
Message-ID: <8f5027d509619b8dd14d821eaec6d4b050e12077.camel@aegee.org>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?= =?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?= <dilyan.palauzov@aegee.org>
To: dnsop@ietf.org
Date: Mon, 11 Nov 2019 19:07:57 +0000
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.35.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.4 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PXntM05N_mEUURfga_UhmXrEDh0>
Subject: [DNSOP] On obsoleting DNSSEC RFCs; Example from RFC 4035
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Nov 2019 19:09:05 -0000


my understanding of the RFC series is, that if an RFC B obsoletes RFC A, then RFC B cannot briefly mention a subject and
refer to RFC A for details.

At  https://tools.ietf.org/html/rfc4033 , https://tools.ietf.org/html/rfc4034 and https://tools.ietf.org/html/rfc4035 is
written that these RFCs together obsolete RFC 3755 and RFC 3757.  The obsoleting text is in the Introduction of RFC

RFC 4033 Section 2 „Definitions of Important DNSSEC Terms“ says: „Key signing keys are discussed in more detail in

In “3.1.  Data Origin Authentication and Data Integrity” it states “See [RFC3755] for details.”

RFC 4034 contains in section “2.1.1.  The Flags Field”: “Bit 15 of the Flags field is the Secure Entry Point flag,
described in [RFC3757].”

So RFC 4033 obsoletes RFC 3757, mentions briefy the term “Key signing keys” and refers to RFC 3757 for details.

This way of describing adds additional complexity for the reader to understand DNSSEC, as it is not clear in which order
to read the RFCs to understand the topics and leaves unclear, whether obsoleted RFCs shall be read.

I have a question about https://tools.ietf.org/html/rfc4035#appendix-A “Signed Zone Example” for the zone “example.”:

The zone contains:

  3600 DNSKEY 256 3 5 (
  ) ;{id = 38519 (zsk), size = 1024b}
  3600 DNSKEY 257 3 5 (
  ) ;{id = 9465 (ksk), size = 1024b}
  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
    20040409183619 9465 example.
  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
    20040409183619 38519 example.

For brevity I have replaced some base64-encoded text with *.  The id=(zks/ksk) comments are not part of the RFCs.  I 
extracted them with ldns-read-zone.

The DNSKEY 256 is the Zone-Signing-Key with id 38519 and 257 is the Key-Signing-Key id 9465.

My understanding is that the root zone (.) has signed one DS record for the example. zone and this DS record in practice
refers to the 257 Key-Signing-Key.  Then the resolver validates that the hash in the DS record matches a KSK DNSKEY in
the zone appex and that this DNSKEY validates the RRSIG.  The valid RRSIG validates and covers all DNSKEYs, meaning the
ZSK DNSKEY is validated this way.

Why does example. zone contain a RRSIG for DNSKEY that are signend by the ZSK?

Compare to DS IANA.ORG, which returns currently six DS records for three distinct DNSKEYs with labels 6730, 14351 and
39817 (delv +short DS IANA.ORG):

6730 8 1 15A1EE709E51C0652799D9CD364A37ACB8E67285
6730 8 2 FCA03776FA33AB57369AAE8B089938F4001E208094362734242A7EBE 4DDB5755
14351 8 1 4C08C05754DDA7CCF62B41AC450873D271221CC3
14351 8 2 E1A0C92C0663202240FC3481F747D00901CD14E268B884A1142D7A47 5DB1A810
39817 8 1 4B2634F69EDD8D0741DA8629E2064B05E8138E51
39817 8 2 5FB72AE84C35A35DDF7FA24EA791CD9763C4360979C0CBB6FF2C407A F9AE5802

delv +dnssec DNSKEY IANA.ORG   returns:

DNSKEY  256 3 8 AwEAAbS+H*zJr  ; ZSK; alg = RSASHA256 ; key id = 41470
DNSKEY  256 3 8 AwEAAc0xH*yrP  ; ZSK; alg = RSASHA256 ; key id = 1723
DNSKEY  257 3 8 AwEAAa02O*qU=  ; KSK; alg = RSASHA256 ; key id = 21911
DNSKEY  257 3 8 AwEAAb0i1*Ik=  ; KSK; alg = RSASHA256 ; key id = 39817
RRSIG   DNSKEY 8 2 3600 20191127114538 20191106083616 21911 iana.org. bdC*3A==
RRSIG   DNSKEY 8 2 3600 20191127114538 20191106083616 39817 iana.org. ADP*XEQ==

So the RRSIG are signed only by KSKs (21911 and 39817) and the ZSK are not used to generate RRSIG for the DNSKEYs.  I
guess label 39817 is in a roll-over process and will disappear soon.

Why the example from RFC 4035 Appendix A generats RRSIG for DNSKEY signed by the ZSK, but for IANA.ORG there is no such

If this is not the right mailing list, which is the right one?