Re: [dnsext] Checking RRSIG RR validity
Francis Dupont <Francis.Dupont@fdupont.fr> Fri, 31 December 2010 17:06 UTC
Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0102C3A6826 for <dnsext@core3.amsl.com>; Fri, 31 Dec 2010 09:06:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.198
X-Spam-Level:
X-Spam-Status: No, score=-3.198 tagged_above=-999 required=5 tests=[AWL=0.051, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WdAWUbsM-Txb for <dnsext@core3.amsl.com>; Fri, 31 Dec 2010 09:06:53 -0800 (PST)
Received: from givry.fdupont.fr (givry.fdupont.fr [91.121.26.85]) by core3.amsl.com (Postfix) with ESMTP id F36C03A67C2 for <dnsext@ietf.org>; Fri, 31 Dec 2010 09:06:52 -0800 (PST)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id oBVH8wqJ086985; Fri, 31 Dec 2010 17:08:58 GMT (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201012311708.oBVH8wqJ086985@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: Sean Wells <snwells82@gmail.com>
In-reply-to: Your message of Fri, 31 Dec 2010 08:54:38 PST. <AANLkTinkmbx7yaTcd6P9sBryzQa7An2FMCS8aFk7jhb7@mail.gmail.com>
Date: Fri, 31 Dec 2010 18:08:58 +0100
Sender: Francis.Dupont@fdupont.fr
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Checking RRSIG RR validity
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Dec 2010 17:06:54 -0000
In your previous mail you wrote:
In section 5.3.1 of RFC 4035 :
The RRSIG RR's Signer's Name field MUST be the name of the zone
that contains the RRset.
The matching DNSKEY RR MUST be present in the zone's apex DNSKEY
RRset, and MUST have the Zone Flag bit (DNSKEY RDATA Flag bit 7)
set.
What does a validating stub resolver (that uses recursive query mode)
expected to do for implementing these two MUSTs ?
=> yes of course: there is a trivial attack if the first is not done
and possible (i.e., sure) confusion with other DNSKEY RR usages for
the second.
Happy New Year!
Francis.Dupont@fdupont.fr
- [dnsext] Checking RRSIG RR validity Sean Wells
- Re: [dnsext] Checking RRSIG RR validity Francis Dupont
- Re: [dnsext] Checking RRSIG RR validity George Barwood
- Re: [dnsext] Checking RRSIG RR validity Sean Wells
- Re: [dnsext] Checking RRSIG RR validity W.C.A. Wijngaards