domain-name-system – 多个DS记录

domain-name-system – 多个DS记录,第1张

概述我想知道验证解析器如何处理多个DS记录.假设我们有一个带有一个KSK和一个ZSK的区域,但是在一些密钥翻转恶作剧之后,在父区域中有两个DS记录,一个指向当前的KSK,一个指向较旧的,不再发布的KSK. 只要DNSKEY RRset由父级中至少一个DS记录指向的密钥签名,解析器是否会忽略旧DS记录并验证区域? 大多数 *** 作符都希望忽略孤儿DS记录.可以遇到多个DS RR,其中一个或多个可能与相应的DN 我想知道验证解析器如何处理多个DS记录.假设我们有一个带有一个KSK和一个ZSK的区域,但是在一些密钥翻转恶作剧之后,在父区域中有两个DS记录,一个指向当前的KSK,一个指向较旧的,不再发布的KSK.

只要DNSKEY RRset由父级中至少一个DS记录指向的密钥签名,解析器是否会忽略旧DS记录并验证区域?

解决方法 大多数 *** 作符都希望忽略孤儿DS记录.可以遇到多个DS RR,其中一个或多个可能与相应的DNSKEY RRset不对齐,这是有充分证据的.

https://tools.ietf.org/html/rfc4035#section-2.4

2.4.  Including DS RRs in a Zone   The DS resource record establishes authentication chains between DNS   zones.  A DS RRset SHOulD be present at a delegation point when the   child zone is signed.  The DS RRset MAY contain multiple records,each referencing a public key in the child zone used to verify the   RRSIGs in that zone.  All DS RRsets in a zone MUST be signed,and DS   RRsets MUST NOT appear at a zone's apex.   A DS RR SHOulD point to a DNSKEY RR that is present in the child's   apex DNSKEY RRset,and the child's apex DNSKEY RRset SHOulD be signed   by the corresponding private key.  DS RRs that fail to meet these   conditions are not useful for valIDation,but because the DS RR and   its corresponding DNSKEY RR are in different zones,and because the   DNS is only loosely consistent,temporary mismatches can occur.

这确定了允许多个DS RR,并且每个RR应该由相应的DNSKEY RR签名.虽然遇到孤立DS RR时的确切行为并未明确,但已确定不匹配可以并且确实发生,并且是可以预期的.

最后,人们可以从承认中收集到DNS只是松散地一致,相反的期望是错误的.因此,人们当然可以编写一个验证器实现,将该区域视为虚假,但这样做并不是非常有用.在一天结束时,要考虑的主要因素是区域是否已签名,以及DS RRset和签名的RR之间是否存在有效的加密路径.

https://tools.ietf.org/html/rfc6840#section-5.11

5.11.  Mandatory Algorithm Rules   The last paragraph of Section 2.2 of [RFC4035] includes rules   describing which algorithms must be used to sign a zone.  Since these   rules have been confusing,they are restated using different language   here:      The DS RRset and DNSKEY RRset are used to signal which algorithms      are used to sign a zone.  The presence of an algorithm in either a      zone's DS or DNSKEY RRset signals that that algorithm is used to      sign the entire zone.      A signed zone MUST include a DNSKEY for each algorithm present in      the zone's DS RRset and expected trust anchors for the zone.  The      zone MUST also be signed with each algorithm (though not each key)      present in the DNSKEY RRset.  It is possible to add algorithms at      the DNSKEY that aren't in the DS record,but not vice versa.  If      more than one key of the same algorithm is in the DNSKEY RRset,it      is sufficIEnt to sign each RRset with any subset of these DNSKEYs.      It is acceptable to sign some RRsets with one subset of keys (or      key) and other RRsets with a different subset,so long as at least      one DNSKEY of each algorithm is used to sign each RRset.      likewise,if there are DS records for multiple keys of the same      algorithm,any subset of those may appear in the DNSKEY RRset.   This requirement applIEs to servers,not valIDators.  ValIDators   SHOulD accept any single valID path.  They SHOulD NOT insist that all   algorithms signaled in the DS RRset work,and they MUST NOT insist   that all algorithms signaled in the DNSKEY RRset work.  A valIDator   MAY have a configuration option to perform a signature completeness   test to support troubleshooting.

整体情况在这里变得更加清晰;验证者不应该管理DS和DNSKEY的所有可能的排列.最重要的细节是是否存在有效路径.

总结

以上是内存溢出为你收集整理的domain-name-system – 多个DS记录全部内容,希望文章能够帮你解决domain-name-system – 多个DS记录所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/web/1129388.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022-05-30
下一篇 2022-05-30

发表评论

登录后才能评论

评论列表(0条)

保存