Re: [dnsext] Clarifying the mandatory algorithm rules

[Casey Deccio <casey@deccio.net>]

On Thu, Mar 17, 2011 at 9:19 AM, Edward Lewis <Ed.Lewis@neustar.biz> wrote:

> The reason for the specification is to set the expectation of the validator
> (the receiving end).  The specification requires the signer (the sending
> end) to generate and publish at least one signature of each algorithm listed
> in the zone's DS record set.  Because of this rule the validator can expect
> that a signature by a specific algorithm the validator wants to use for a
> set of data in the zone will be available if listed in the DS record set.
>  With this expectation, if the validator receives a data set from the zone
> and cannot obtain a signature, then the validator is to declare a protocol
> failure.


Okay, so the signer sets the expectation of the validator using the
algorithms in the DS RRset.  Now, does this expectation hold for simply
authenticating the DNSKEY RRset or for all zone data?

For example:

- DS RRset has only algorithm 5
- DNSKEY RRset signed by a DNSKEY matching the DS (alg 5)
- DNSKEY RRset contains DNSKEYs with algs 5 and 3
- DNSKEY with alg 3 signs A RRset.

Is there a valid chain to the A RRset, or is it a protocol failure?
Following the principle of "if one chain works, it succeeds", I would say
that it is valid.  But it's unclear whether this is part of the expectation
of the signer for the validator, and even the paragraph quoted above seems
to declare it a protocol failure--although I well understand your position
on principle.  Whether it is valid or not, I believe it should be worded
explicitly to avoid ambiguity and accurately convey principle.

Casey