Re: [dnsext] DNSSEC, robustness, and several DS records

"Stephan Lagerholm" <> Thu, 12 May 2011 02:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 43E6AE08D6 for <>; Wed, 11 May 2011 19:00:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mENWi1Ef9l5a for <>; Wed, 11 May 2011 19:00:52 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 3B73DE08D1 for <>; Wed, 11 May 2011 19:00:52 -0700 (PDT)
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id 044A8B83A3; Wed, 11 May 2011 19:52:46 -0600 (MDT)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PAZXjvc1ygEa; Wed, 11 May 2011 19:52:43 -0600 (MDT)
Received: from ( []) by (Postfix) with ESMTPSA id BB55EB8396; Wed, 11 May 2011 19:52:43 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=2010; t=1305165163; bh=tyjMnVAN+Dp3eRgg92DBRhZGqBUu6yXZ5CCN4bCdaPw=; h=MIME-Version:Content-Type:Content-Transfer-Encoding:Subject:Date: Message-ID:In-Reply-To:References:From:To:Cc; b=t2G6gN9bQ3TNY1ge95 9mz3cpVBVeA3V194PqOMG9kvNWEWH3U/taGv3zMRPNVxGkPNtW/G8pRrM4M1GWlBDTq pBSjg5lZA81OoHDkVnN5H63h+aRztZCOkexTUO8oPRPIRqBKYkl0kgYAUmxwg63OqRY 9yTH+PvN2yEkLnlzfyU=
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 11 May 2011 19:45:34 -0600
Message-ID: <>
In-Reply-To: <>
Thread-Topic: [dnsext] DNSSEC, robustness, and several DS records
Thread-Index: AcwQQdR1/aUG34dHTY+L+RsNnT0DmQAAszIg
References: <> <>
From: "Stephan Lagerholm" <>
To: "Mark Andrews" <>, "Francis Dupont" <>
Cc: Paul Hoffman <>,
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 May 2011 02:00:53 -0000

Regarding the RFC4509 discussion,

I don't see why anybody would like to upload both a SHA-1 and SHA-2 DS
to their parent. With AM, CAT, CH, CL, COM, CZ, DK, EDU, FI, FR, GR, LI,
LU, MUSEUM, NET, NL, PM, RE, SE, TF, UK, WF and YT using only the SHA-2
algorithm for their DS in the root zone. Additionally, ARPA, BE, BIZ,
a resolver to understand SHA-2 to be able to understand the DNSKEY in
their zone anyway.

I think it is fair to say that the DNSSEC functionality of a resolver
without support for SHA-2 is highly limited. As such I don't believe
that there are that many of them out there. (Am I wrong?)

Do like .COM and Just don't upload the SHA-1 and you will never have
this problem. We can perhaps have a different requirement wording in any
future RFC that is introducing a new DS algorithm. But for SHA-1 vs.
SHA-2 in reality this is not an issue.

I'm noticing that FR currently only has a SHA-2 in the root zone. I
guess they came to the same conclusion.

Stephan Lagerholm
Senior DNS Architect, M.Sc. ,CISSP
Secure64 Software Corporation,
Cell: 469-834-3940

>-----Original Message-----
>From: [] On
Behalf Of
>Mark Andrews
>Sent: Wednesday, May 11, 2011 8:29 PM
>To: Francis Dupont
>Cc: Paul Hoffman;
>Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
>In message <>fr>, Francis
>>  In your previous mail you wrote:
>>    Note that the text in RFC 4509 has a SHOULD, not a MUST. The fact
>>    that the BIND and Unbound people treat it as a MUST seems like a
>>    bug.
>> => I don't understand how the SHOULD can be interpreted in order to
>> avoid the "bug" (:-). Seriously you can disagree with RFC 4509
>> but not about the way it has to be implemented, i.e., your concern
>> is not about what it should be...
>> Regards
>> _______________________________________________
>> dnsext mailing list
>Agreed.  You are either configured to follow the SHOULD or not and
>the default is to fail.  Now not having a switch to turn it off
>means you don't have a work around once you discover that DS is
>wrong which requires contacting the administrators for the zone as
>they are the only ones that can tell you whether it is wrong or you
>are under attack.  You can make a educated guess without contacting
>the zone administrators.
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742                 INTERNET:
>dnsext mailing list