Re: [dnsext] Clarifying the mandatory algorithm rules

[Casey Deccio <casey@deccio.net>]

On Tue, Mar 15, 2011 at 5:45 AM, Edward Lewis <Ed.Lewis@neustar.biz> wrote:

> The specification requires the generation of a signature of each algorithm
> in the DS record to set the expectation of the validator (remote end).  The
> expectation is that if the DS record set indicates that algorithm X is in
> use, there will be a signature of algorithm X to be had.  If this
> expectation is not met, then the validator is to declare a protocol failure.
>
>
For further clarification...  It seems like you are favorable towards the
validator verifying an RRSIG for every algorithm (which it understands, of
course) that exists in the DS RRset.  Is this verification just for the
RRSIGs made by SEP (i.e., corresponding to DS RRs) DNSKEYs covering the
DNSKEY RRset, or for any arbitrary RRSIG in the zone?  If the former, once
you have authenticated the DNSKEY RRset (with all the algorithms in the DS),
then an RRSIG may be verified by any DNSKEY in the DNSKEY RRset, regardless
of algorithm; if the latter, then the algorithms must play a part in
validating any RRset in the zone.  The former seems more reasonable to me.
It seems like perhaps your view has changed from SHOULD NOT to SHOULD in one
of these regards?

In either case, I think that a bit more wording should be added to the
proposed text to make it clear what is expected of the the validator, in
terms of which RRSIG to check algorithms for, depending on what consensus
is.

Casey