Paper 9a
RFC 3008
DNSSEC Signing Authority
Intro
defines additonal restrictions on DNSSEC signatures
most significant change is that in a secure zone,
zone data is required to be signed by the zone key.
SIG recored is normally associated with an RRset and
covers that set.
Sig records may exist which are not bound to any RRset,
but these are considered immaterial.
SIG field requirements
-
Type Covered -
for a data SIG, the type covered MUST be the same as
the type of data in the associated RRset
-
Algorithm Number -
Algorithm specified in a SIG must be recognized by the client
and it must be an algorithm that has a defined SIG rdata
format
-
Labels -
-
Original TTL -
must be greater than or equal to the TTL of the SIG record itself.
-
Signature Expiration and Inception -
current time at time of falidation must lie within the
validity period bounded by the inception and expiration
times
-
Key Tag -
no restrictions
-
Signer's Name -
signer's name field of a data SIG must contain the name of the
zone to which the data and signature belong.
-
Signature -
No restrictions on the signature field
Siging Key
Once a signature has been examined and its fields validated,
the resolve attempts to locate a KEY that matches the singer name,
key tab, and algorithm fields in the SIG
-
Type flags -
must have a flags value of 00 or 01
-
Name flags -
different for data SIGs and SIG(0) records
-
Signatory Flags -
-
protocol -
must have a protocol value of 3 (DNSSEC) or 255 (all)
-
algorithm number -
must be identical to that of the generated SIG record
Mike Erlinger
Last Modified Thursday, 06-Apr-2006 10:37:35 PDT