Re: [knot-dns-users] CDS/CDNSKEY Publication

Hello all, I noticed that Knot (2.6.5) creates an RRSIG for the CDS/CDNSKEY RRset with the ZSK/CSK only. I was wondering if this is an acceptable behavior as RFC 7344, section 4.1. CDS and CDNSKEY Processing Rules states: o Signer: MUST be signed with a key that is represented in both the current DNSKEY and DS RRsets, unless the Parent uses the CDS or CDNSKEY RRset for initial enrollment; in that case, the Parent validates the CDS/CDNSKEY through some other means (see Section 6.1 and the Security Considerations). Specifically I read that "represented in both the current DNSKEY and DS RRsets" means that the CDS/CDNSKEY RRset must be signed with a KSK/CSK and not only with a ZSK and a trust chain to KSK <- DS. I tested both BIND 9.12.1 and PowerDNS Auth 4.0.5 as well. PowerDNS Auth behaves the same as Knot 2.6.5 but BIND 9.12.1 always signs the CDS/CDNSKEY RRset with at least the KSK. Do I read the RFC rule too strict? To be honest, I see nothing wrong with the CDS/CDNSKEY RRset only signed by the ZSK but BINDs behavior and the not so clear RFC statement keeps me wondering.