IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Fri, 19 November 2010 16:02 UTC

Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A1CF28C11F for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 08:02:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.525
X-Spam-Level:
X-Spam-Status: No, score=-2.525 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sXGrQ7z+0t1T for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 08:02:27 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id 8734328C11C for <dnsext@ietf.org>; Fri, 19 Nov 2010 08:02:26 -0800 (PST)
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id oAJG3BSi095956 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dnsext@ietf.org>; Fri, 19 Nov 2010 17:03:12 +0100 (CET) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4CE69FBF.3070706@nlnetlabs.nl>
Date: Fri, 19 Nov 2010 17:03:11 +0100
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Fedora/3.1.6-1.fc13 Lightning/1.0b3pre Thunderbird/3.1.6
MIME-Version: 1.0
To: dnsext@ietf.org
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE50C01.4010104@nic.cz> <alpine.BSF.2.00.1011180630550.83352@fledge.watson.org> <4CE5898C.7050801@nic.cz><4CE64785.7090401@nlnetlabs.nl> <20101119141852.DC56A6F90C8@drugs.dv.isc.org>
In-Reply-To: <20101119141852.DC56A6F90C8@drugs.dv.isc.org>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Fri, 19 Nov 2010 17:03:12 +0100 (CET)
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2010 16:02:28 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mark,

On 11/19/2010 03:18 PM, Mark Andrews wrote:
> Except the validator is not supposed to enforce it.  The point of
> the rule, for the signer, was to ensure that there would be *a*
> signature to validate with.

Right, that is the confusion.

>> Let me try to understand this and then respond.  You talk about having
>> to prepublish signatures before the keys are published.
>>
>> This is necessary with the current rules today for algorithm-support
>> reasons.  It does not go away if unbound has less strict checking.  The
>> affected servers could be bind, unbound or other implementations.
> 
> No it isn't necessary.
>
> I start out with algorithm A in DS and DNSKEY.  The DNSKEY has a
> TTL of 600.  I have a TXT record with a TTL of 600 which is fetch
> 300 seconds after the DNSKEY record is fetched.  I add a DNSKEY
> with algorithm B and re-sign the entire zone with A+B meeting the
> MUST.  301 second later a downstream validating client asks for the
> TXT record.  The client get a DNSKEY RRset with A+B and a TXT with
> A signatures.  This will validate as secure by a validator that
> supports A only.  This will validate as insecure by a validator
> that supports B only as there is no secure path from the parent to
> the child.  It will validate as secure by a validator that supports
> A+B.

Let me explain why I thought it was necessary.  The RFC links the
algorithms in the DS to the algorithms in the DNSKEY.  And the RFC links
the algorithms in the DNSKEY to the algorithms over the data.
Therefore, I did not think it was allowed to link the algorithms in the
DS to the algorithms over the data.  And that you had to check if
algorithms (and thus their signatures) were missing.

If you pick the algorithms from the DNSKEY to see if signatures over
data are missing, then in the above example, a validator that supports
A+B has to mark the answer bogus.

(I happily note as an aside, you can take the subset of algorithms that
is also published in the DS set and do strict-checks with that; this has
safe communication from the parent and more lenient algorithm rollover).

> Only when you start enforcing that the TXT and DNSKEY records have
> to have matching algorithms in the validator does this break despite
> the signer meeting the MUST.

Another source for this is RFC4641 algorithm rollover (with prepublish
of signatures before key).  I am a bit hazy why the 4641 (and -bis)
documents specify algorithm rollovers with signature introduction, if
this was not necessary; the editors and reviewers had similar confusion?
 I certainly looked at them to make sure they worked when I wrote the
algorithm code.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzmn78ACgkQkDLqNwOhpPgVqwCgpzI1URZLi6F4EyDpvwdwrXBH
mwAAn2Dr8o90brU8dPkcA+mXr8IahkmU
=1Sia
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email