[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNSSEC and unknown algorithms
[ Moderators note: Post was moderated, either because it was posted by
a non-subscriber, or because it was over 20K.
With the massive amount of spam, it is easy to miss and therefore
delete relevant posts by non-subsrcibers. Please fix your
subscription addresses. ]
>>>>> On Thu, 16 Dec 2004 15:34:51 -0500, David Blacka <davidb@verisignlabs.com> said:
David> In protocol-09, section 5.2, there are two paragraphs
David> describing what to do when a resolver encounters a delegation
David> to a zone signed only with unknown algorithms:
proto-09-5.2> If the validator does not support any of the algorithms
proto-09-5.2> listed in an authenticated DS RRset, then the resolver
proto-09-5.2> has no supported authentication path leading from the
proto-09-5.2> parent to the child. The resolver should treat this
proto-09-5.2> case as it would the case of an authenticated NSEC RRset
proto-09-5.2> proving that no DS RRset exists, as described above.
If you follow the advice in that last sentence, doesn't it allow for
someone to craft a DS packet with a unassigned algorithm ID and send
it to the requester and they'll actually immediately treat that packet
as a proof of non-existence? Why would you ever treat a response you
can't authenticate as an authenticated NSEC? Treating it as an
unauthenticated NSEC I can understand, but not as an authenticated
one.
--
"In the bathtub of history the truth is harder to hold than the soap,
and much more difficult to find." -- Terry Pratchett
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>