DNSSECbis Q-8: Non-zone KEY RR at the apex.

["Scott Rose" <scottr@antd.nist.gov>]

Q:  Should a secure (signed) zone be allowed to have non-zone KEY RRs in the
apex?

Discussion:

"Section 2.1 of draft-ietf-dnsext-dnssec-protocol-01

To sign a zone, the zone's administrator generates one or more
public/private key pairs and uses the private key(s) to sign authoritative
RRsets in the zone. For each private key used to create SIG RRs, there
SHOULD be a corresponding KEY RR stored at the zone apex. All KEY RRs at the
zone apex MUST be zone keys. (A zone key KEY RR has the Zone Key bit of the
Flags RDATA field set to one. See Section 2.1.1 of [10].) Zone key KEY RRs
MUST appear only at the
zone apex."

<snip>

"Other public keys associated with other DNS operations can be stored in KEY
RRs that are not marked as zone keys. Non-zone key KEY RRs MUST NOT appear
at delegation names. Non-zone key KEY RRs also SHOULD NOT appear at the zone
apex, because large KEY RRsets add processing time at resolvers. Non-zone
key KEY RRs MAY appear at any other name in the zone."

/end

The first paragraph quoted above states that only DNSSEC zone KEY RRs can
appear at the
zone apex.  The second quoted paragraph, states that non-zone KEYs SHOULD
NOT appear.

It is possible that an admin may wish to put a non-zone key (e.g. SIG(0)
KEY) at the apex, which would be unwise, and result in a larger apex KEY
RRset.  However, there are better ways to store such KEY RRs.

Should the SHOULD NOT in the above (third) paragraph be changed to "Non-zone
key KEY RRs also MUST NOT appear at the zone apex, ..." ?

Scott



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>