Confirm
298
edits
Changes
→DNSSEC Chains
Each zone entered must be directly inner to the previous zone. The root zone may be omitted, because it is assumed that the client already has the DNSSEC keys for the root. The final entry is a TLSA (and corresponding RRSIG) record, again in wire format.
So, for example, the DNSSEC chain sent for clients connecting to foo.bar.com could be:
* The DS (+RRSIG) entering .com
* The DNSKEYS (+RRSIGs) for .com
* The DS (+RRSIG) entering bar.com
* The DNSKEYS (+RRSIGs) for bar.com
* The TLSA (+RRSIG) for foo.bar.com (given that the bar.com is authoritative for foo.bar.com)
It is possible to optimize away some fields of these records, but at the moment this is not being done. Another optimization would be for the client to indicate a root of trust deeper down the tree so that the server can omit some zones. For example, a client may already have (and have validated) all of the keys for .com. In this case, example.com need only send a DS record entering example.com and the keys for example.com (as well as the final TLSA record).
