[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
private algorithms and the DS record
I was thinking about the use of private algorithms in DNSSEC the other
day, and it struck me that they might not, strictly speaking, work.
Note that records-11 has the following text in Appendex A.1.1:
Algorithm number 253 is reserved for private use and will never be
assigned to a specific algorithm. The public key area in the DNSKEY
RR and the signature area in the RRSIG RR begin with a wire encoded
domain name, which MUST NOT be compressed. The domain name indicates
the private algorithm to use and the remainder of the public key area
is determined by that algorithm. Entities should only use domain
names they control to designate their private algorithms.
Fair enough, but there are no instructions for the DS record. So how
would a resolver be able to distinguish between a known private
algorithm from an unknown private algorithm from the delegation?
Note this text from protocol-09, section 5.2:
If the validator does not support any of the algorithms listed in an
authenticated DS RRset, then the resolver has no supported
authentication path leading from the parent to the child. The
resolver should treat this case as it would the case of an
authenticated NSEC RRset proving that no DS RRset exists, as
described above.
I.e., it is expected that a DNSSEC validator would be able to make the
determination that it does or does not support any of the algorithms
directly from the DS set. As soon as a DNSSEC validator knows about one
private algorithm (per scheme), it suddenly cannot make this determination.
Or am I missing something?
--
David Blacka <davidb@verisignlabs.com>
Sr. Engineer VeriSign Applied Research
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>