Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
BIND
BIND
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 580
    • Issues 580
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 110
    • Merge Requests 110
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #1316

Closed
Open
Opened Nov 11, 2019 by Dilyan Palauzov@dilyanpalauzov

Toggle the default of dnssec-dnskey-kskonly to YES

These DNSSEC-cabable servers are maintained at these DNSSEC-enabled domains: BIND → isc.org NSD → nlnetlabs.nl PowerDNS → powerdns.com KnotDNS → knot-dns.cz

Of the mentioned domains, only isc.org signs the DNSKEYs using ZSK.

Per thread “On obsoleting DNSSEC RFCs; Example from RFC 4035” from today at https://mailarchive.ietf.org/arch/browse/dnsop/ these extra RRSIG add to the payload, without having added value.

Please switch the default for dnssec-dnskey-kskonly to YES and possibly write some explanations why shall one want to use NO.

Also add some default, when the KSK is ECDSA P-256 (algorithm 13) and there are no ZKS, to use the KSK for singing anything, as this makes sense.

Per the fourt message of the mentioned discussion, state that with algorith 13 the answers fit in UDP and there is no need for ZKS: if the KSK in algorithm 13, then there is no need for ZKS. And possibly adjust this logic for ISC.ORG, or write in the documentation why you do not agree with this logic.

Edited Nov 11, 2019 by Dilyan Palauzov
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: isc-projects/bind9#1316