[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: private algorithms and the DS record

To: <namedroppers@ops.ietf.org>
Subject: RE: private algorithms and the DS record
From: "Scott Rose" <scottr@nist.gov>
Date: Mon, 20 Dec 2004 12:52:16 -0500
In-reply-to: <41C6F045.8010501@verisignlabs.com>

Well, the validator needs to obtain the DNSKEY RR anyway to validate the DS
RR (the hash uses the entire RDATA of the DNSKEY).  If there are two private
algorithms in use, then the validator must rely on the key_id to
differentiate.

I wouldn't expect a validator to make any decision on a zone based solely on
the DS RR since it can only validate the RRSIG and not the key hash without
the DNSKEY from the child zone.

Scott


> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org
> [mailto:owner-namedroppers@ops.ietf.org]On Behalf Of David Blacka
>
> On Dec 17, 2004, at 10:54 AM, Olaf M. Kolkman wrote:
>
> > Are you refering to algorithm id clashes?
>
> yes.
>
> Private algorithms are identified with an algorithm number (253 or 254)
> and an additional DNS name or OID.  When you are looking at a DNSKEY or
> RRSIG, you can figure out exactly what the algorithm name is by looking
> at the number, seeing that it is 253, then looking at the beginning for
> the key data or signature data and parsing a DNS name.
>
> Nobody has implemented this that I know of, but it looks easy enough.
>
> HOWEVER, when the resolver is following a delegation, it 1) looks for
> the presence or absence of the DS set.  If present, it makes sure that
> it understands at least one of the algorithms presented in the DS
> record.  BUT, it cannot tell if "253" refers to a private algorithm it
> has heard of or some other private algorithm, because there are NO
> INSTRUCTIONS for putting the private key DNS name or OID in the DS
> record anywhere.  Therefore, one has to assume that it is not present.
> Thus, the only information that the resolver has at that point in the
> validation process is that the DS record is using *some* private
> algorithm, but it cannot tell which one.
>
> Basically, all I am pointing out is that private algorithm identifiers
> need to be handled everywhere algorithm numbers appear.  And the DS
> record is missing information about to handle private algorithms.
>
> It is true that, if the validator goes on to the subzone and fetches
> the DNSKEYs, it can match the DS to the DNSKEY and actually find out.
> BUT, the way protocol-09 is written, that isn't how validators are
> expected to work.
>
> --
> David Blacka    <davidb@verisignlabs.com>
> Sr. Engineer    Verisign Applied Research
>
>
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
>


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: private algorithms and the DS record
  - From: David Blacka <davidb@verisignlabs.com>

References:
- Re: private algorithms and the DS record
  - From: David Blacka <davidb@verisignlabs.com>

Prev by Date: Re: private algorithms and the DS record
Next by Date: Re: private algorithms and the DS record
Previous by thread: Re: private algorithms and the DS record
Next by thread: Re: private algorithms and the DS record
Index(es):
- Date
- Thread