Re: private algorithms and the DS record

[Edward Lewis <Ed.Lewis@neustar.biz>]

At 9:35 -0500 12/22/04, David Blacka wrote:
> There is still potential for a security problem, here, I think.
>
> If an implementation pulls the private algorithm name from the DNSKEY and
> eliminate the DNSKEY and DS before actually computing the SHA1 hash of the
> DNSKEY.

I'm not following...(maybe I'm context switching too much)...can you elaborate?

> This seems like a natural thing to do.
>
> Certainly, there is a safer way to handle this, but how will a future
> implementer be aware of the issue?  By reading the namedropper archives?

Sure - I have a copy of the DNSSEC WG archives on my disk at all times...;)

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

"A noble spirit embiggens the smallest man." - Jebediah Springfield

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>