I was surprised to see double signatures on CDS / CDNSKEY records when
using `dnsssec-signzone -x` - I thought the KSK signing behaviour should
be the same for CDNSKEY / CDS as it is for DNSKEY.
I would like to avoid them for CDNSKEY in particular, since I want to
avoid sending large responses as much as I can.
---
bin/dnssec/dnssec-signzone.c | 8 ++++----
bin/dnssec/dnssec-signzone.docbook | 5 +++--
doc/arm/Bv9ARM-book.xml | 6 +++---
lib/dns/zone.c | 13 +++++++------
4 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 4775955..5d278a1 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -659,7 +659,9 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
if (!issigningkey(key))
continue;
- if (set->type == dns_rdatatype_dnskey &&
+ if ((set->type == dns_rdatatype_cds ||
+ set->type == dns_rdatatype_cdnskey ||
+ set->type == dns_rdatatype_dnskey) &&
dns_name_equal(name, gorigin)) {
isc_boolean_t have_ksk;
dns_dnsseckey_t *tmpkey;
@@ -680,9 +682,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
(iszsk(key) && !keyset_kskonly))
signwithkey(name, set, key->key, ttl, add,
"signing with dnskey");
- } else if (set->type == dns_rdatatype_cds ||
- set->type == dns_rdatatype_cdnskey ||
- iszsk(key)) {
+ } else if (iszsk(key)) {
signwithkey(name, set, key->key, ttl, add,
"signing with dnskey");
}
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 82089a9..79e5d25 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -705,8 +705,9 @@
-x
- Only sign the DNSKEY RRset with key-signing keys, and omit
- signatures from zone-signing keys. (This is similar to the
+ Only sign the DNSKEY, CDNSKEY, and CDS RRsets with
+ key-signing keys, and omit signatures from zone-signing
+ keys. (This is similar to the
dnssec-dnskey-kskonly yes; zone option in
named.)
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 2c5ff64..c2f7add 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -7261,9 +7261,9 @@ options {
When this option and update-check-ksk
are both set to yes, only key-signing
keys (that is, keys with the KSK bit set) will be used
- to sign the DNSKEY RRset at the zone apex. Zone-signing
- keys (keys without the KSK bit set) will be used to sign
- the remainder of the zone, but not the DNSKEY RRset.
+ to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex.
+ Zone-signing keys (keys without the KSK bit set) will be used
+ to sign the remainder of the zone, but not the DNSKEY RRset.
This is similar to the
dnssec-signzone -x command line option.
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 2b56aff..248bf3d 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -6643,15 +6643,16 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
if (rdataset.type == dns_rdatatype_soa ||
rdataset.type == dns_rdatatype_rrsig)
goto next_rdataset;
- if (rdataset.type == dns_rdatatype_dnskey) {
+ if (rdataset.type == dns_rdatatype_dnskey ||
+ rdataset.type == dns_rdatatype_cdnskey ||
+ rdataset.type == dns_rdatatype_cds) {
+ /*
+ * CDS and CDNSKEY are signed with KSK like DNSKEY
+ * (RFC 7344, 4.1).
+ */
if (!is_ksk && keyset_kskonly)
goto next_rdataset;
} else if (is_ksk) {
- /*
- * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
- */
- if (rdataset.type != dns_rdatatype_cds &&
- rdataset.type != dns_rdatatype_cdnskey)
goto next_rdataset;
}
if (*delegation &&
--
2.10.1.445.g3cdd5d1