Re: DNSSEC and unknown algorithms

[David Blacka <davidb@verisignlabs.com>]

Wes Hardaker wrote:
> > > > > > On Thu, 16 Dec 2004 15:34:51 -0500, David Blacka <davidb@verisignlabs.com> said:
>
>
> David> In protocol-09, section 5.2, there are two paragraphs
> David> describing what to do when a resolver encounters a delegation
> David> to a zone signed only with unknown algorithms:
>
> proto-09-5.2> If the validator does not support any of the algorithms
> proto-09-5.2> listed in an authenticated DS RRset, then the resolver
> proto-09-5.2> has no supported authentication path leading from the
> proto-09-5.2> parent to the child.  The resolver should treat this
> proto-09-5.2> case as it would the case of an authenticated NSEC RRset
> proto-09-5.2> proving that no DS RRset exists, as described above.
>
> If you follow the advice in that last sentence, doesn't it allow for
> someone to craft a DS packet with a unassigned algorithm ID and send
> it to the requester and they'll actually immediately treat that packet
> as a proof of non-existence?  Why would you ever treat a response you
> can't authenticate as an authenticated NSEC?  Treating it as an
> unauthenticated NSEC I can understand, but not as an authenticated
> one.

No.

This is actually discussed earlier in section (5.2).  The validator is 
working with verified DS records from the parent.  I.e., the parent is 
signed with a known algorithm.  So you aren't making a security decision 
based on unauthenticated data here (which is what I'm worried that some 
misguided implementation might do).

--
David Blacka    <davidb@verisignlabs.com>
Sr. Engineer    VeriSign Applied Research

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>