[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DNSSEC and unknown algorithms

To: <namedroppers@ops.ietf.org>
Subject: RE: DNSSEC and unknown algorithms
From: "Scott Rose" <scottr@nist.gov>
Date: Fri, 17 Dec 2004 08:57:21 -0500
In-reply-to: <41C1F16B.7060904@verisignlabs.com>

> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org
> [mailto:owner-namedroppers@ops.ietf.org]On Behalf Of David Blacka
>
> I do realize that this topic was probably discussed as nauseum, and this
> comment is extra-super late, but...
>
> In protocol-09, section 5.2, there are two paragraphs describing what to
> do when a resolver encounters a delegation to a zone signed only with
> unknown algorithms:
>
>     If the validator does not support any of the algorithms listed in an
>     authenticated DS RRset, then the resolver has no supported
>     authentication path leading from the parent to the child.  The
>     resolver should treat this case as it would the case of an
>     authenticated NSEC RRset proving that no DS RRset exists, as
>     described above.
>
> and
>
>     If the resolver does not support any of the algorithms listed in an
>     authenticated DS RRset, then the resolver will not be able to verify
>     the authentication path to the child zone.  In this case, the
>     resolver SHOULD treat the child zone as if it were unsigned.
>
> (sort of redundant to have both paragraphs, but whatever)
>
> My question is, why is this a SHOULD (or "should" in the first
> paragraph).  I suppose I'm imagination impaired, but what other option
> does the resolver actually have except to treat the zone as unsigned?
>
I think it was a decision to defer to local policy.  Some sites may wish to
shoot themselves in the foot.  If a validator sees a DNSKEY with an algo it
doesn't understand, it may still be able to verify the parent's RRSIG
covering the DS, so a smart validator would determine "signed by something I
can't verify":  and it's up to local policy to how that response is handled.


Scott

> --
> David Blacka    <davidb@verisignlabs.com>
> Sr. Engineer    VeriSign Applied Research
>
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
>


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- DNSSEC and unknown algorithms
  - From: David Blacka <davidb@verisignlabs.com>

Prev by Date: RE: DNSSEC and unknown algorithms
Next by Date: Re: DNSSEC and unknown algorithms
Previous by thread: Re: DNSSEC and unknown algorithms
Next by thread: Re: DNSSEC and unknown algorithms
Index(es):
- Date
- Thread