RE: MagicType draft

[Samuel Weiler <weiler@tislabs.com>]

On Tue, 16 Nov 2004, Scott Rose wrote:

> Really?  I would think that it would almost work.  Wouldn't it be
> the same as having 2 DS RRs, and one having an unknown algorithm
> type?  A DNSSECbis validator would still be able to validate
> positive responses, it's negative responses that would cause some
> errors (unknown algorithms code).  Depending on local policy, the
> validator might resend the query in an attempt to get an RRSIG it
> can understand.

What does the auth server do when it's advertising (via DS/DS') that
both kinds of non-existence proofs are available?  On name errors,
return both a BERT RR and an NSEC RR (proving that the BERT RR doesn't
exist)?  It doesn't know whether the resolver asking the query wants
NSEC-type proofs or BERT-type proofs -- it has to provide an answer
that works for both.  And that answer has to be completely
backwards-compatible with DNSSECbis resolvers.

I think the answer to Ed's question of "What happens if there is a mix
of DNSSECbis and 'this method' keys in a DS set" is: the world ends.
Depending on the resolver's mood, do something either kind and gentle
(treat the zone as unsigned), colorful (treat the zone as not
existing), or punitive (see draft-ietf-dnsop-bad-dns-res-03.txt, now
in WGLC, for creative ideas).

-- Sam


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>