[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] RSA/SHA2 new NSEC3 text proposal

To: namedroppers@ops.ietf.org
Subject: Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
From: Scott Rose <scottr@nist.gov>
Date: Wed, 17 Dec 2008 08:19:53 -0500
In-reply-to: <49477F09.90009@NLnetLabs.nl>
Organization: NIST
References: <49477F09.90009@NLnetLabs.nl>
User-agent: Thunderbird 2.0.0.6 (X11/20070728)

Jelte Jansen wrote:
> 
> Ok, i've refined the text a bit, and made two possible versions of 5.2.2
> for the validator part, see below.
> 
> 
> 5.2.  Support for NSEC3 Denial of Existence
> 
>    Note that these algorithms have no aliases to signal NSEC3 denial of
>    existence.  The aliases mechanism used in RFC5155 was to protect
>    implementations predating that RFC from encountering records they
>    could not know about.
> 
>    Implementations that support RSA/SHA-2 algorithms SHOULD also
>    implement NSEC3 denial of existence [RFC5155].
> 

I agree with Alex that if we go with option 2 below, that SHOULD would
have to be changed to MUST to keep it consistent.

> 5.2.1.  NSEC3 in Authoritative servers
> 
>    An authoritative server that does not implement NSEC3 can still serve
>    zones that use RSA/SHA2 with NSEC.
> 

I think the can could be changed to a MAY without a problem.  Looking at
RFC 2119 it seems correct.

> 
> 
> And one of these:
> 
> 5.2.2.  NSEC3 in Validators
> 
>    If a validator chooses not to support NSEC3, it MUST recognize NSEC3
>    Resource Records and treat any zone that uses those as unsigned,
>    after verifying their signatures.  This does, however, make you
>    insecure for negative answers within the zone, and is not
>    recommended.
> 
> OR
> 
> 5.2.2. NSEC3 in Validators
> 
>    A DNSSEC Validator that implements RSA/SHA2 MUST be able to
>    handle both NSEC and NSEC3 negative answers. If the validator is
>    not able to handle both, it MUST treat a zone signed with
>    RSA/SHA256 or RSA/SHA512 as insecure.
> 
> 

In the second option, should the validator treat the zone as insecure or
unsigned?  I'm wondering to myself if that really makes a difference.

Scott

> Jelte

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>


-- 
----------------------------------------
Scott Rose            Computer Scientist
NIST
ph: +1 301-975-8439
scott.rose@nist.gov

http://www-x.antd.nist.gov/dnssec
http://www.dnsops.gov/
-----------------------------------------

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
  - From: Edward Lewis <Ed.Lewis@neustar.biz>

References:
- [dnsext] RSA/SHA2 new NSEC3 text proposal
  - From: Jelte Jansen <jelte@NLnetLabs.nl>

Prev by Date: Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
Next by Date: Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
Previous by thread: Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
Next by thread: Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
Index(es):
- Date
- Thread