0

When getting the key for domaindiscount24.net, I got:

domaindiscount24.net.   3600    IN  DNSKEY  257 3 7 AwEAAeKb+f8Taftu3DLQEVeHJTarZBQwZ9M1B9LpzldumDNwdLf3poYjcE04z30wQSw8NG+XXBaEzJ/vVXQFUsICDlG88HcOQD5/S5WE9sWmHEGKwj1lwzLvfxcBUiOqYEUaI+4xa4EGTuPxKq+No5zutiewaioXqPNRAr0oLCUgl3wUP83+f1RWBHmYkvSyvCprnI++sTl3mjvqMoDxgnZmFexYEuD3RUZDbeSpnbGF9xWuUF7Eiyv8/plQKLaGHFVfc2UKFgvHgZEwGjbu4M15Hr+khZsyAv321LLcNfJMmMQWvWzd7Ls8lgKU721W7BOGMbKT1a+R5JEBsMJEoOd6EhU=
domaindiscount24.net.   3600    IN  DNSKEY  256 3 7 AwEAAb5e1OpMWHZWshn3YVZNuE1mjFfIHXMzBHTh/b2bFrp+IuJ/ruylT+lRkljmSTnLhUcf1ISTU9E+PIjGxm20/mbnZl42YNCcklc30kGFxLrrhCw+qckaepwCWwoDlKsWre8yBFAw0y1co093IP6qSZuDkBU7wrz7x6ltVjfk95/b
domaindiscount24.net.   3600    IN  DNSKEY  257 3 7 AwEAAbqzUHscKrAbgQArh8FkVBz6ToXfWn4hy89zqizcpEX5y16XdNf5OtG8HOU5V3LG0nS6SlSbLFamzWQMliuIt0cRWIiK1XjMYrWWKWODWw1mUqVvlnhtoGDxXroW1HWjrSAX15KWJozOLvaBHRFEiVbldlfFAoEwtuYocjIU8uzyxQxjyNgfwppe2/ZB7ceFNOvF3nJrTrfjWLtRE/srfAIdCefdcnKx4y8PUo1YL0TfJDYhzmFy5ewJxn1Oa0eXl8HONGFiWMo71q+ZqdZ+157UfQPz9uinrzs/MN/u+aREIH0Gxibx6wEczRw5GGiYyw5ETuK5GZlIU03y2KivAnk=
domaindiscount24.net.   3600    IN  DNSKEY  256 3 7 AwEAAaVi/p34WjJ5qNa8hnjVm4c1/6iyX9+XrYIGvY8skrVcJuJDBB3OUPgrpCNgjpguTtDKGECmBv2qMkxa2D5HKM/rn6S9o4TAsWKsR/IJDA0DF2VF6RR5ZnNHj/a13de0E3OD1X9iDlCc9sIz+R8OIJyRGpAdVFlFtNURbP7FTUBr
domaindiscount24.net.   3600    IN  RRSIG   DNSKEY 7 2 3600 20200612203538 20200529125353 11133 domaindiscount24.net. qnDCvLJ1N3/0ClXYDarJKjyf/k2fFGhzOj1ubMZqNalPqkRyiwS/IdktKRQOPanSCClLpQ335/t/9ACPwuhWBd8KZEEcA6xWwnKj0xF2FaPfvjyoo2Co/nj4cSdJHIVgYzwHQb6rcNeHpX1Leamt7tCC+ynCnj4PGoOppiOdr6NKNVn0Av1T+ZzjoC/tKCq8iI/nt74sYuC11gML6shtbMOB5PqJwWA6haJ8Vd/fIDE30bj1T2LFdF/A2NwO8htuZxwf/QICtPuHe7J92aqBM5s3gbl8Vkml7yiLdKglVMBWa3me+hybuQF7Ox+UWEUr3g3NGLzeXbELvbyHG2yzlA==
domaindiscount24.net.   3600    IN  RRSIG   DNSKEY 7 2 3600 20200612203538 20200529125353 33205 domaindiscount24.net. VgDc41jBAYpW7k/6cfRSsTPJAyj4xvVUQxJTBaQnm1HvpWwpFusQp47HXS686F4WQbvra3ADwvBf6VolITc/qjjcGsOPl6jDAxuJzBdbmY1Ys9J2zpziiOgljBKTRn6Unl20h2+uN4Klm7PULT7yptRQozOAnjb8u1WsUlvbfNdT9unsxODpgXOM9b2LnQHTN1C5mxR+IoaAhM5GwebQyFq0FF2J/XAwrvPmAiV6aYr9vttkCQP2V3xlJeCqT9D8Hdfe0K1Ci2phEgdruSRbjuadoGcm4mY7svLzqJlY+zrf2391vMIDlyd1Hs37ztbbbgL4BvBKmBlYQ53bLG1HFA==

However there is no DS register for that domaindiscount24.net:

;; QUESTION SECTION:
;domaindiscount24.net.      IN  DS

;; AUTHORITY SECTION:
net.            900 IN  SOA a.gtld-servers.net. nstld.verisign-grs.com. 1591688573 1800 900 604800 86400

How is it possible to have a KSK but no DS record? how are we suppose to verify the KSK?

vinz
  • 89
  • 1
  • 7
  • "How is it possible to have a KSK but no DS record? " Technically it is the opposite that is the exception. Having DNSKEY just means changing your zone, which you control, so easy task. Having a DS means instead going to the registrar and making sure it forward the DS to the parent (registry) and then wait the registry to publish it./ Two completely separate tasks. – Patrick Mevzek Jun 13 '20 at 15:07

1 Answers1

0

You are not supposed to verify the KSK.
Lack of DS at the delegation point, with valid proof of nonexistence (relevant NSEC/NSEC3 with valid RRSIG), is the signal that it's an insecure delegation and that the child zone is not to be validated.

Ie, there is not only no means of validation, you are supposed to have found proof that this zone is "insecure" and is not supposed to be validated.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • Thank you for the clarification! Just for my knowledge, why do they do that? what is the point to provide a RRSIG but not having the DS record registered? – vinz Jun 09 '20 at 11:12
  • @vinz they may be preparing to DNSSEC enable the zone: you first need to have the zone fully populated with keys and signatures and wait some time BEFORE inserting the DS in parent; or they forgot; or they were DNSSEC enabled but removed the DS at same point for some problem or a botched KSK rotation. Or they transfered the domain between registrars, and it is easier to do without DNSSEC being active at the same time. Etc. There could be many reasons, only them will know... – Patrick Mevzek Jun 13 '20 at 15:05