Re: [DNSOP] On obsoleting DNSSEC RFCs; Example from RFC 4035 (2)

Tony Finch <dot@dotat.at> Wed, 13 November 2019 15:03 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FEB012003E for <dnsop@ietfa.amsl.com>; Wed, 13 Nov 2019 07:03:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vY3Cah2H_hDZ for <dnsop@ietfa.amsl.com>; Wed, 13 Nov 2019 07:03:35 -0800 (PST)
Received: from ppsw-42.csi.cam.ac.uk (ppsw-42.csi.cam.ac.uk [131.111.8.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CB77120033 for <dnsop@ietf.org>; Wed, 13 Nov 2019 07:03:35 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:52734) by ppsw-42.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1iUuBA-001Lov-7d (Exim 4.92.3) (return-path <dot@dotat.at>); Wed, 13 Nov 2019 15:03:32 +0000
Date: Wed, 13 Nov 2019 15:03:32 +0000
From: Tony Finch <dot@dotat.at>
To: =?UTF-8?B?0JTQuNC70Y/QvSDQn9Cw0LvQsNGD0LfQvtCy?= <dilyan.palauzov@aegee.org>
cc: dnsop@ietf.org
In-Reply-To: <45da1ecde592be34b00b8fab64bcd6ee591019b4.camel@aegee.org>
Message-ID: <alpine.DEB.2.20.1911131459580.10845@grey.csi.cam.ac.uk>
References: <8f5027d509619b8dd14d821eaec6d4b050e12077.camel@aegee.org> <45da1ecde592be34b00b8fab64bcd6ee591019b4.camel@aegee.org>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="1870870841-168012755-1573657412=:10845"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dqQv9zM9O4Nd8h_BZFnPuQHZ_14>
Subject: Re: [DNSOP] On obsoleting DNSSEC RFCs; Example from RFC 4035 (2)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 15:03:37 -0000

Дилян Палаузов <dilyan.palauzov@aegee.org> wrote:
>
> Does it make sense to generate RRSIG for the ZSK and why 1/3 of the
> DNSSEC enabled sites, maintaining DNSSEC enabled DNS servers do it?

This is at least partly a BIND peculiarity. By default it signs the DNSKEY
RRset with all the keys. You can tell `named` to sign only with the KSK
using the `dnssec-dnskey-kskonly` option, and `dnssec-signzone` with the
`-x` option.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Forties, Cromarty, Forth, Tyne, Dogger: North or northwest 3 to 5 increasing 6
or 7, perhaps gale 8 later, in Cromarty, Forth and east Forties. Slight or
moderate, occasionally rough. Showers. Good.