Re: private algorithms and the DS record

[David Blacka <davidb@verisignlabs.com>]

On Dec 17, 2004, at 10:54 AM, Olaf M. Kolkman wrote:

> Are you refering to algorithm id clashes?

yes.

Private algorithms are identified with an algorithm number (253 or 254)
and an additional DNS name or OID.  When you are looking at a DNSKEY or
RRSIG, you can figure out exactly what the algorithm name is by looking
at the number, seeing that it is 253, then looking at the beginning for
the key data or signature data and parsing a DNS name.

Nobody has implemented this that I know of, but it looks easy enough.

HOWEVER, when the resolver is following a delegation, it 1) looks for
the presence or absence of the DS set.  If present, it makes sure that
it understands at least one of the algorithms presented in the DS
record.  BUT, it cannot tell if "253" refers to a private algorithm it
has heard of or some other private algorithm, because there are NO
INSTRUCTIONS for putting the private key DNS name or OID in the DS
record anywhere.  Therefore, one has to assume that it is not present.
Thus, the only information that the resolver has at that point in the
validation process is that the DS record is using *some* private
algorithm, but it cannot tell which one.

Basically, all I am pointing out is that private algorithm identifiers
need to be handled everywhere algorithm numbers appear.  And the DS
record is missing information about to handle private algorithms.

It is true that, if the validator goes on to the subzone and fetches
the DNSKEYs, it can match the DS to the DNSKEY and actually find out.
BUT, the way protocol-09 is written, that isn't how validators are
expected to work.

--
David Blacka    <davidb@verisignlabs.com>
Sr. Engineer    Verisign Applied Research


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>