11 Čen
2024
11 Čen
'24
11:23
Hi Steve, all,
this topic has been also discussed on the multi-signer mailing-list and OARC Mattermost.
As a reminder, the situation is that DS is being updated (at an already secured delegation
point) as a result of detecting novel CDNSKEY. What I think after those discussions:
1) FRED should not actually care about the Flags field in CDNSKEY (nor in corresponding
DNSKEY). Processing CDNSKEY with Flags 256 (i.e. SEP bit cleared) seems OK. I suspect that
your assumption, that 256-flagged CDNSKEY would be ignored, was incorrect.
2) According to RFC 7344, Section 4.1, Bullet "Continuity", FRED should (it is
actually a MUST) check the delegation, if it works with updated DS. The RFC is pretty
vague about the details here. I suspect that FRED is missing some (or any) such checks and
this can be considered a bug in FRED. There are some viable options what FRED could check,
depending on available codebase (and therefore ease of implementation):
2a) perform an interative validation of the cild zone's DNSKEY with the new DS-to-be
installed as a trust anchor (this might be easy if there is an iterative DNSSEC validation
tool already part of FRED)
2b) the same as 2a) but validate the child zone's SOA (this might avoid updating DS
when the child zone is wrongly signed itself, dunno if better or worse)
2c) only check that the DNSKEY corresponding to the DS-to-be is used to sign DNSKEY in the
child zone (this could be easier to implement as a single-RR validator is only needed,
which is already probably part of FRED due to necessary CDNSKEY-RRSIG validation...)
2d) only check by keytag that the DNSKEY corresponding to the DS-to-be is used to sign
DNSKEY in the child zone (this is the easiest way possible, only compute the keytag of the
accepted CDNSKEY and search for it in the child's DNSKEY-RRSIG)
(All those options would need to be elaborated, e.g. for the case of multiple CDNSKEYs
(and DSs)....)
Any of those possible bugfixes would prevent what you observed -- accepting a ZSK as an
entry point for DS. Note that DNSKEY/CDSNKEY flags don't play any role here.
Nevertheless, the idea of re-purposing apex CDNSKEYs is IMHO not good.
Libor