Re: DNSSEC and unknown algorithms

[David Blacka <davidb@verisignlabs.com>]

Mark Andrews wrote:

> > In my mind, and I may be missing something, if a resolver does not treat 
> > the zone as unsigned, it will be making validation decisions based on 
> > unverified data.  Which, I think, is a bad idea.  My memory is a bit 
> > hazy on the subject, but wasn't it that sort of thing that caused us to 
> > do the typecode rollover in the first place?
>
>
> 	The security policy may say otherwise.
>
> 	Say you have a policy that says "Every zone beneath example.net will
> 	be signed with algorithm A" and example.net is only signed with
> 	algorithm B.
>
> 	Treating the zone as unsigned would be a violation of that
> 	policy.

Just to clarify, in my head, everything always has an exception for 
"local policy".  But in this case, am I right in thinking that treating 
the zone as *signed* and not entirely bogus is not an option?  Or to put 
this another way, what other options besides "treat the zone as 
unsigned" or "write the whole zone off as bogus due to local policy" 
does a validator have?

--
David Blacka    <davidb@verisignlabs.com>
Sr. Engineer    VeriSign Applied Research

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>