A DS RR contains a hash of a child zone's KSK and can be used as a trust anchor in some security-aware resolvers and to create a secure delegation point for a signed subzone in DNS servers. As illustrated in Figure 22.1, the DS RR in the parent zone corpxyz.com contains a hash of the KSK of the child zone sales.corpxyz.com, which in turn has a DS record that contains a hash of the KSK of its child zone, nw.sales.corpxyz.com.
Figure 22.1
A
Aserver3.nw.sales.corp100.com
ftp1.nw.sales.corp100.comRRSIG A 5 2 86400....
DNSKEY256
DNSKEY257A
A A
RRSIG DS DNSKEY DNSKEYserver1.corp100.com
ftp.corp100.com sales.corp100.comA
A RRSIG DSAserver2.sales.corp100.com
ftp1.sales.corp100.com 5 2 86400....A 5
25924
256
2572 86400....
51DNSKEY
DNSKEY25854 5
256
2571corp100.comsales.corp100.comnw.sales.corp100.com
Following is an example of the DS RR:
corpxyz.com86400IN DS25924 5 1 49D2801B50E25D59440F1FF1A8012B568435
B622B1F8709F33D744C4C6D71EA2
Owner Name
TTL ClassRR Type
Key Tag
Algorithm
Digest Type
Digest
The first four fields specify the owner name, TTL, class and RR type. The succeeding fields are as follows:
- Key Tag: The key tag value that is used to determine which key to use to verify signatures.
- Algorithm: Identifies the algorithm of the DNSKEY RR to which this DS RR refers. It uses the same algorithm values and types as the corresponding DNSKEY RR.
- Digest Type: Identifies the algorithm used to construct the digest. The supported algorithms are:
— 1 = SHA-1
— 2 = SHA-256
- Digest: If SHA-1 is the digest type, this field contains a 20 octet digest. If SHA-256 is the digest type, this field contains a 32 octet digest.
1012NIOS Administrator Guide (Rev. A)NIOS 8.1
Configuring DNSSEC on a Grid