现有 RRSIG 和 KSK,但没有 DS 记录

tag-icon tag-icon domain-name-system dnssec
现有 RRSIG 和 KSK,但没有 DS 记录

获取的密钥时domaindiscount24.net,我得到:

domaindiscount24.net.   3600    IN  DNSKEY  257 3 7 AwEAAeKb+f8Taftu3DLQEVeHJTarZBQwZ9M1B9LpzldumDNwdLf3poYjcE04z30wQSw8NG+XXBaEzJ/vVXQFUsICDlG88HcOQD5/S5WE9sWmHEGKwj1lwzLvfxcBUiOqYEUaI+4xa4EGTuPxKq+No5zutiewaioXqPNRAr0oLCUgl3wUP83+f1RWBHmYkvSyvCprnI++sTl3mjvqMoDxgnZmFexYEuD3RUZDbeSpnbGF9xWuUF7Eiyv8/plQKLaGHFVfc2UKFgvHgZEwGjbu4M15Hr+khZsyAv321LLcNfJMmMQWvWzd7Ls8lgKU721W7BOGMbKT1a+R5JEBsMJEoOd6EhU=
domaindiscount24.net.   3600    IN  DNSKEY  256 3 7 AwEAAb5e1OpMWHZWshn3YVZNuE1mjFfIHXMzBHTh/b2bFrp+IuJ/ruylT+lRkljmSTnLhUcf1ISTU9E+PIjGxm20/mbnZl42YNCcklc30kGFxLrrhCw+qckaepwCWwoDlKsWre8yBFAw0y1co093IP6qSZuDkBU7wrz7x6ltVjfk95/b
domaindiscount24.net.   3600    IN  DNSKEY  257 3 7 AwEAAbqzUHscKrAbgQArh8FkVBz6ToXfWn4hy89zqizcpEX5y16XdNf5OtG8HOU5V3LG0nS6SlSbLFamzWQMliuIt0cRWIiK1XjMYrWWKWODWw1mUqVvlnhtoGDxXroW1HWjrSAX15KWJozOLvaBHRFEiVbldlfFAoEwtuYocjIU8uzyxQxjyNgfwppe2/ZB7ceFNOvF3nJrTrfjWLtRE/srfAIdCefdcnKx4y8PUo1YL0TfJDYhzmFy5ewJxn1Oa0eXl8HONGFiWMo71q+ZqdZ+157UfQPz9uinrzs/MN/u+aREIH0Gxibx6wEczRw5GGiYyw5ETuK5GZlIU03y2KivAnk=
domaindiscount24.net.   3600    IN  DNSKEY  256 3 7 AwEAAaVi/p34WjJ5qNa8hnjVm4c1/6iyX9+XrYIGvY8skrVcJuJDBB3OUPgrpCNgjpguTtDKGECmBv2qMkxa2D5HKM/rn6S9o4TAsWKsR/IJDA0DF2VF6RR5ZnNHj/a13de0E3OD1X9iDlCc9sIz+R8OIJyRGpAdVFlFtNURbP7FTUBr
domaindiscount24.net.   3600    IN  RRSIG   DNSKEY 7 2 3600 20200612203538 20200529125353 11133 domaindiscount24.net. qnDCvLJ1N3/0ClXYDarJKjyf/k2fFGhzOj1ubMZqNalPqkRyiwS/IdktKRQOPanSCClLpQ335/t/9ACPwuhWBd8KZEEcA6xWwnKj0xF2FaPfvjyoo2Co/nj4cSdJHIVgYzwHQb6rcNeHpX1Leamt7tCC+ynCnj4PGoOppiOdr6NKNVn0Av1T+ZzjoC/tKCq8iI/nt74sYuC11gML6shtbMOB5PqJwWA6haJ8Vd/fIDE30bj1T2LFdF/A2NwO8htuZxwf/QICtPuHe7J92aqBM5s3gbl8Vkml7yiLdKglVMBWa3me+hybuQF7Ox+UWEUr3g3NGLzeXbELvbyHG2yzlA==
domaindiscount24.net.   3600    IN  RRSIG   DNSKEY 7 2 3600 20200612203538 20200529125353 33205 domaindiscount24.net. VgDc41jBAYpW7k/6cfRSsTPJAyj4xvVUQxJTBaQnm1HvpWwpFusQp47HXS686F4WQbvra3ADwvBf6VolITc/qjjcGsOPl6jDAxuJzBdbmY1Ys9J2zpziiOgljBKTRn6Unl20h2+uN4Klm7PULT7yptRQozOAnjb8u1WsUlvbfNdT9unsxODpgXOM9b2LnQHTN1C5mxR+IoaAhM5GwebQyFq0FF2J/XAwrvPmAiV6aYr9vttkCQP2V3xlJeCqT9D8Hdfe0K1Ci2phEgdruSRbjuadoGcm4mY7svLzqJlY+zrf2391vMIDlyd1Hs37ztbbbgL4BvBKmBlYQ53bLG1HFA==

但是没有用于该目的的 DS 寄存器domaindiscount24.net

;; QUESTION SECTION:
;domaindiscount24.net.      IN  DS

;; AUTHORITY SECTION:
net.            900 IN  SOA a.gtld-servers.net. nstld.verisign-grs.com. 1591688573 1800 900 604800 86400

怎么可能有一个 KSK 但没有 DS 记录?我们应该如何验证 KSK?

答案1

您不应该验证 KSK。在委托点
缺少不存在的有效证明(相关/有效),这表明委托不安全,子区域不需要验证。DSNSECNSEC3RRSIG

也就是说,不仅没有验证手段,你还应该找到证据证明该区域“不安全”并且不应该被验证。

相关内容