[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC and unknown algorithms

To: David Blacka <davidb@verisignlabs.com>
Subject: Re: DNSSEC and unknown algorithms
From: Samuel Weiler <weiler@tislabs.com>
Date: Fri, 17 Dec 2004 12:18:26 -0500 (EST)
Cc: namedroppers@ops.ietf.org
In-reply-to: <41C1F16B.7060904@verisignlabs.com>
References: <41C1F16B.7060904@verisignlabs.com>

On Thu, 16 Dec 2004, David Blacka wrote:

> My question is, why is this a SHOULD (or "should" in the first
> paragraph).  I suppose I'm imagination impaired, but what other option
> does the resolver actually have except to treat the zone as unsigned?

Maybe the resolver could still check to see if all RRsets still have
unexpired RRSIGs of an appropriate algorithm type, even if the crypto
bits don't work?  It shouldn't set the ad bit if an answer passes
those checks, but it might throw an error if they fail.

As the author of text that led to these paragraphs, I don't recall
exactly why I didn't use a 2119 MUST.  In general, I think 2119 MUSTs
should be used sparingly, and only with known good reason.  If there's
any plausible non-offending alternative, a SHOULD is more appropriate.

> In my mind, and I may be missing something, if a resolver does not treat
> the zone as unsigned, it will be making validation decisions based on
> unverified data.  Which, I think, is a bad idea.  My memory is a bit
> hazy on the subject, but wasn't it that sort of thing that caused us to
> do the typecode rollover in the first place?

TCR happened because some (widely deployed) resolvers treat any answer
with an NXT being as being a denial of existance, no matter the name
bounds of that NXT.  Since DS added NXTs to positive answers (unsecure
referrals), unsecure delegations from signed zones didn't work.  I
don't know if we ever tested what happened to other NXT-bearing
positive answers (i.e.  wildcard answers), but this was sufficient to
justify the TCR.  Jakob discovered the bug on New Years' Eve, two
years ago.  Mark Andrews tracked it down the next day.

To answer David's question, no, the use of unvalidated data is not
what triggered the TCR.  I don't recall whether an unvalidated NXT is
sufficient to trigger the bug above -- it might be, but that wasn't
the reason for the TCR.

-- Sam

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- DNSSEC and unknown algorithms
  - From: David Blacka <davidb@verisignlabs.com>

Prev by Date: RE: DNSSEC and unknown algorithms
Next by Date: RE: draft-lozano-nsec-random-00
Previous by thread: RE: DNSSEC and unknown algorithms
Next by thread: RE: DNSSEC and unknown algorithms
Index(es):
- Date
- Thread