Re: [dnsext] Checking RRSIG RR validity
Sean Wells <snwells82@gmail.com> Fri, 31 December 2010 19:34 UTC
Return-Path: <snwells82@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F0C33A6821 for <dnsext@core3.amsl.com>; Fri, 31 Dec 2010 11:34:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.091
X-Spam-Level:
X-Spam-Status: No, score=-2.091 tagged_above=-999 required=5 tests=[AWL=0.907, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lOcYkItDzCht for <dnsext@core3.amsl.com>; Fri, 31 Dec 2010 11:34:32 -0800 (PST)
Received: from mail-pz0-f66.google.com (mail-pz0-f66.google.com [209.85.210.66]) by core3.amsl.com (Postfix) with ESMTP id D8E4C3A67F1 for <dnsext@ietf.org>; Fri, 31 Dec 2010 11:34:32 -0800 (PST)
Received: by pzk36 with SMTP id 36so909198pzk.1 for <dnsext@ietf.org>; Fri, 31 Dec 2010 11:36:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=RI9h+xr9fvlzA9eq1nNy3OSVJyf/UgiQAoI5OXejh44=; b=sJGDMJEQ8gmrdcSzTx3KYftJbWnXDSJ/v7ELP6p9u/bCqFZ0SsUqONymHFa9mnjLrp nEFPeCJyn/Ym5LFaqX98LKrtUf7+Esou4GY+H1GTULSCoFlqHjRNcYMHpnkWC5F0ZNDD 8RIhfSaU5keb1O95J9UcdYYXORYJcdA83LHow=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=IUDLCRpKIgX7kaygShm+mGxr4n39KkIkUtGx9Tp6wxRZxG+WSfGIe2AwoAGez90NUL t3aidvX8fKti7ef2NjHxRcJ/CaSf6qDE/redhplMRlw6phN/lKlp2NkaPiRlb10hyEmz sfJsIs8N2UX04zYIq1N4bLrNSn1nlV+Y0GRnM=
MIME-Version: 1.0
Received: by 10.142.226.9 with SMTP id y9mr14595477wfg.202.1293824198657; Fri, 31 Dec 2010 11:36:38 -0800 (PST)
Received: by 10.142.49.1 with HTTP; Fri, 31 Dec 2010 11:36:38 -0800 (PST)
In-Reply-To: <5C578182DAA04FE6B9CF4A18B7BC0D95@local>
References: <AANLkTinkmbx7yaTcd6P9sBryzQa7An2FMCS8aFk7jhb7@mail.gmail.com> <5C578182DAA04FE6B9CF4A18B7BC0D95@local>
Date: Fri, 31 Dec 2010 11:36:38 -0800
Message-ID: <AANLkTimPVve7f-KWyq-R2A-+Teb-8nqF+VYhSJrCcyXh@mail.gmail.com>
From: Sean Wells <snwells82@gmail.com>
To: George Barwood <george.barwood@blueyonder.co.uk>
Content-Type: multipart/alternative; boundary="000e0cd32a62c346db0498b9ebc3"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Checking RRSIG RR validity
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Dec 2010 19:34:35 -0000
On Fri, Dec 31, 2010 at 9:55 AM, George Barwood < george.barwood@blueyonder.co.uk> wrote: > I agree the standard is not explicit here. These are my thoughts on this: > > Checking Signer Name in RRSIG record > > The standard is not very clear on how the Signer Name in an RRSIG record is > checked. It simply says "The RRSIG RR's Signer's Name field MUST be the name > of the zone that contains the RRset." ( RFC4035, section 5.3.1 ) > > Unfortunately a validating resolver does not know the zone in a secure way, > so it's unclear how this is to be implemented. > > That is exactly my issue. > Instead, the actual checks need to be: > > (1) The Signers name must be equal to or a direct ancestor of the Owner of > the RRSIG. > > (2) If TypeCovered is DS, the Signers name must not be equal to the Owner > of the RRSIG. > > (3) The Signers name must not be above the Active trust anchor. > > Optionally, for types that can only occur signed in the zone apex ( SOA, > NS, DNSKEY, NSEC3PARAM ) an additional check that the Signers name is equal > to the Owner of the RRSIG can be performed. > > From > http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/NotesOnDNSSSEC.htm > > thanks. Perhaps, it would be good to clarify this in the Clarifications document ? (assuming there is consensus). -mohan > Regards, > George > > ----- Original Message ----- > *From:* Sean Wells <snwells82@gmail.com> > *To:* dnsext@ietf.org > *Sent:* Friday, December 31, 2010 4:54 PM > *Subject:* [dnsext] Checking RRSIG RR validity > > Hi, > > In section 5.3.1 of RFC 4035 : > > The RRSIG RR's Signer's Name field MUST be the name of the zone > that contains the RRset. > > The matching DNSKEY RR MUST be present in the zone's apex DNSKEY > RRset, and MUST have the Zone Flag bit (DNSKEY RDATA Flag bit 7) > set. > > My question is with respect to the first two MUSTs: "MUST be the name of the zone" and "MUST be present in the zone's apex DNSKEY RRset". What does a validating stub resolver (that uses recursive query mode) expected to do for implementing these two MUSTs ? > > Thanks > > Sean > > ------------------------------ > > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext > >
- [dnsext] Checking RRSIG RR validity Sean Wells
- Re: [dnsext] Checking RRSIG RR validity Francis Dupont
- Re: [dnsext] Checking RRSIG RR validity George Barwood
- Re: [dnsext] Checking RRSIG RR validity Sean Wells
- Re: [dnsext] Checking RRSIG RR validity W.C.A. Wijngaards