Re: [dnsext] one algorithm number or two

[Samuel Weiler <weiler@tislabs.com>]

On Fri, 12 Dec 2008, Peter Koch wrote:

> ... So, the resolver doesn't know in advance which method it will 
> see, it is just told to expect either one.  An NSEC3-agnostic 
> validator will likely treat the zone as insecure.
...
> The same holds for the sha256 aware validator, except that it won't 
> know for sure in advance to treat the zone as insecure if it doesn't 
> implement NSEC3.

Indeed, it won't be able to make any determination about the _zone_ 
status at all, only about the status of particular answers.  An 
NSEC3-agnostic resolver might well get positive answers from the NSEC3 
zone and treat them as secure long before it sees a negative answere 
which it must treat as unsigned.  Part of the zone appears secure, 
part unsigned.

I'm having trouble thinking of another example of a validator not 
being able to make a "zone" status determination by examining the zone 
cut.  The base specs routinely talk about the zone security status.

Does it matter?  Probably not.  But it's the same sort of apparently 
academic difference that "DS is the first RR to appear only on the 
parent's side of a delegation" was.  We thought that difference didn't 
matter.  RFC4035 section 3.1.4.1 was the result.  Maybe using two 
(four) algorithm numbers is the right path for now.

If we don't leave both algorithm numbers, Jelte's text needs to be 
modified to specify "answers", not "zones", and should explicitly call 
this out as a difference from the base specs.  (RFC4035 section 4.3 
et. al.)

-- Sam

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>