Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 576
    • Issues 576
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 113
    • Merge requests 113
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #1316
Closed
Open
Issue created Nov 11, 2019 by Ghost User@ghost

Toggle the default of dnssec-dnskey-kskonly to YES

These DNSSEC-cabable servers are maintained at these DNSSEC-enabled domains: BIND → isc.org NSD → nlnetlabs.nl PowerDNS → powerdns.com KnotDNS → knot-dns.cz

Of the mentioned domains, only isc.org signs the DNSKEYs using ZSK.

Per thread “On obsoleting DNSSEC RFCs; Example from RFC 4035” from today at https://mailarchive.ietf.org/arch/browse/dnsop/ these extra RRSIG add to the payload, without having added value.

Please switch the default for dnssec-dnskey-kskonly to YES and possibly write some explanations why shall one want to use NO.

Also add some default, when the KSK is ECDSA P-256 (algorithm 13) and there are no ZKS, to use the KSK for singing anything, as this makes sense.

Per the fourth message of the mentioned discussion, state that with algorith 13 the answers fit in UDP and there is no need for ZKS: if the KSK in algorithm 13, then there is no need for ZKS. And possibly adjust this logic for ISC.ORG, or write in the documentation why you do not agree with this logic.

Edited Oct 06, 2021 by Mark Andrews
Assignee
Assign to
Time tracking