matsduf
commented
3 years ago Thank you for your comment. Validation against the DS records is planned for test case DNSSEC18, for which there is draft specification in #941. Neither DNSSEC16 (CDS) or DNSSEC17 (CDNSKEY) look at the DS records.
According to the specifications it is mandatory to have KSK+ZSK. You could have a combined CSK instead. And also the SEP is not mandatory. You could use a DNSKEY without SEP set and use it as KSK (or CSK). That said, it is still recommended to have the SEP set on the keys that are used for DS.
I will make a proposal of an update of DNSSEC16 and DNSSEC17 to include verification if the CDS and CDNSKEY records, respecitively, point at DNSKEY records with SEP set. -- In the case of CDNSKEY that the SEP is set in itself.
On step 7.vii of test specification "DNSSEC16: Validate CDS", it should be a requirement that at least one CDS RRSIG record should be made with the "KSK" of the zone, or more precisely, with a key with the SEP bit that corresponds to the DS from the parent. Not just any key.
This requirement is from RFC7344, section 4.1, where it says "Signer: MUST be signed with a key that is represented in both the current DNSKEY and DS RRsets,...".
To maintain this test case autonomous from parent data, and to allowing to work for the unsigned case, I propose to at least test that there's a valid RRSIG over CDS, made with a valid key from the DNSKEY set that has the SEP bit on. The responsibility of ensuring that the key with the SEP bit is the same as the parent's DS, it should be from the same parent when accepting the rollover or initial enrollment, in another test or action.
So, I propose this change for 7.vii: