Viktor Dukhovni ietf-dane@dukhovni.org writes:
On Fri, Mar 06, 2020 at 05:33:42PM +0100, Peter van Dijk wrote:
C. Each algorithm for which a DNSKEY exists, must sign all the records in the zone.
And the invariant holds, because it is signed with ZSKs for both algorithms.
Because of caching, step 1 potentially breaks this invariant.
https://tools.ietf.org/html/rfc6781#section-4.1.4 explains this at length (with better wording than I used), and appears to get it right.
You didn't really address Peter's concern. Any cached RRSIG with remaining TTL higher than a cached DNSKEY will be invalid after the cached DNSKEY expires if you add a new ZSK algorithm without first adding the signatures..
You need to add the signatures first, wait until old sigs are expired, and then add the new ZSK.
Looking at an example: My local resolver is going to keep the www.ietf.org RRSIG cached for 589 seconds after the ietf.org DNSKEY expires. If ietf.org were to add a ZSK with a new algorithm now, then www.ietf.org will be considered invalid for those 589 seconds until the cache picks up the new signature:
bjorn@miraculix:~$ dig dnskey ietf.org +dnssec +multiline; dig www.ietf.org +dnssec +multiline
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> dnskey ietf.org +dnssec +multiline ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25914 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 00d41f1eaa6c1e2b0d935c335e637697980f4266912fe3c1 (good) ;; QUESTION SECTION: ;ietf.org. IN DNSKEY
;; ANSWER SECTION: ietf.org. 589 IN DNSKEY 257 3 5 ( AwEAAavjQ1H6pE8FV8LGP0wQBFVL0EM9BRfqxz9p/sZ+ 8AByqyFHLdZcHoOGF7CgB5OKYMvGOgysuYQloPlwbq7W s5WywbutbXyG24lMWy4jijlJUsaFrS5EvUu4ydmuRc/T GnEXnN1XQkO+waIT4cLtrmcWjoY8Oqud6lDaJdj1cKr2 nX1NrmMRowIu3DIVtGbQJmzpukpDVZaYMMAm8M5vz4U2 vRCVETLgDoQ7rhsiD127J8gVExjO8B0113jCajbFRcMt UtFTjH4z7jXP2ZzDcXsgpe4LYFuenFQAcRBRlE6oaykH R7rlPqqmw58nIELJUFoMcb/BdRLgbyTeurFlnxs= ) ; KSK; alg = RSASHA1 ; key id = 45586 ietf.org. 589 IN DNSKEY 256 3 5 ( AwEAAdDECajHaTjfSoNTY58WcBah1BxPKVIHBz4IfLjf qMvium4lgKtKZLe97DgJ5/NQrNEGGQmr6fKvUj67cfrZ UojZ2cGRizVhgkOqZ9scaTVXNuXLM5Tw7VWOVIceeXAu uH2mPIiEV6MhJYUsW6dvmNsJ4XwCgNgroAmXhoMEiWEj BB+wjYZQ5GtZHBFKVXACSWTiCtddHcueOeSVPi5WH94V lubhHfiytNPZLrObhUCHT6k0tNE6phLoHnXWU+6vpsYp z6GhMw/R9BFxW5PdPFIWBgoWk2/XFVRSKG9Lr61b2z1R 126xeUwvw46RVy3hanV3vNO7LM5HniqaYclBbhk= ) ; ZSK; alg = RSASHA1 ; key id = 40452 ietf.org. 589 IN RRSIG DNSKEY 5 2 1800 ( 20210127000407 20200127230611 40452 ietf.org. wiauz1dcDs1GctjHvWCw5Xxt61nTZhG7fjx5/+mC/uaL 3GKYwjS7cyBYl/YcXuufSAWFQLBy7BXFIkIxbXyKkCCo uKogFWhoEilYZhUu/GxEppCK1Y7hvokM0i9enBlu7UDQ GvJ9m9buJaKGtcKkiOAOTJB2djeyEexlgOpsQFst1TtM DX6C7pdCjeaqTbFQrzq0LIBjthLJEzMWO4jNTr7bNcpi 8+nFDWV1MogDDP9cm8H89vMf4bUfqSvkskq2ouLNGwJ+ 6gyDqUWu3KR8FvOhOWpq040/6ZWXMAduq5JDbt80oNdD 1xjwkhCQDI28fVj0v96MaQTWwR4Brj6p4Q== ) ietf.org. 589 IN RRSIG DNSKEY 5 2 1800 ( 20210127000433 20200127230611 45586 ietf.org. NRattAGqWXC55uwxwK+iCZhIj81/ljephfA+Hx57jEES N2tCI4ZCldvOOtCojtkKnFchSsNoEfkuYpJtoAENlKat jxBFYmAJJESqoV/X+jh5Y0j45787hF9TMc51//a6qjSl PA3QJLZ2kReVgBRsBDQ9MroWaAWYKnsZOGKIKyg6Rxha ADS/ATg/3kq2XZJuKRXHKx2sdCvqhMpuejgdqr/+SU2K LUdPWrtvLmWRAP73MRIsBy52/rqR4iKkXhRLa6hPkovn hikLibD6wijh53T0Oyqsj0mlpUEQSI6uV5b/9hp0TXpl QhYCiDSuH1cu5fe/pgLvRpxkIEzof58vow== )
;; Query time: 28 msec ;; SERVER: 148.122.16.253#53(148.122.16.253) ;; WHEN: Sat Mar 07 11:25:27 CET 2020 ;; MSG SIZE rcvd: 1209
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> www.ietf.org +dnssec +multiline ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11102 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 4ff4c9a2b04e7362cc9958945e6376979d3ae21152d8ec4d (good) ;; QUESTION SECTION: ;www.ietf.org. IN A
;; ANSWER SECTION: www.ietf.org. 1175 IN CNAME www.ietf.org.cdn.cloudflare.net. www.ietf.org. 1175 IN RRSIG CNAME 5 3 1800 ( 20210127000323 20200127230611 40452 ietf.org. fX/FCVGya8pIk/2cMDWu3+iNKyWd0GLK4g6wtwp8v7rj p+nynpRm1jOanP20p36Dod4qj0IdoMGu3PN2756QZW7L zQ6nS+x7Re37Q52BP89ADXZ5J5tLlcaRl0MEyoj6/Cyv 6cW+GH8sK0PwYmE11mVzezI3ZrADWvTCmgNxEpxHxoF0 jlpJ0+JVt9gP2bbHWg0uF2yspTwspaoCSRcaO6KFKnkk QXI2PFhgk0w/Od4NXe86V64U1WtMGcqNyGOe0zcq4HPm iiW+lvZab6QuZJ8kq/A5HrDw66MzuRK5S2PJFjoF7lna 9OIru9JXT+FcHmozUpI9lwLJIwI5IRt11g== ) www.ietf.org.cdn.cloudflare.net. 300 IN A 104.20.0.85 www.ietf.org.cdn.cloudflare.net. 300 IN A 104.20.1.85 www.ietf.org.cdn.cloudflare.net. 300 IN RRSIG A 13 6 300 ( 20200308112527 20200306092527 34505 cloudflare.net. gEbu+OUEYzpr2m4Tsvukhpxyyy0ypEW1esxKg/q3qVQW nfeGk7PTcH2oqcplMI+d/9cMQPJW7v0m+/dHXq97FA== )
;; Query time: 31 msec ;; SERVER: 148.122.16.253#53(148.122.16.253) ;; WHEN: Sat Mar 07 11:25:27 CET 2020 ;; MSG SIZE rcvd: 552
Bjørn