IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

Edward Lewis <Ed.Lewis@neustar.biz> Thu, 17 March 2011 16:37 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A04EB3A6A9D for <dnsext@core3.amsl.com>; Thu, 17 Mar 2011 09:37:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.567
X-Spam-Level:
X-Spam-Status: No, score=-102.567 tagged_above=-999 required=5 tests=[AWL=0.032, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DY20rw-LQyqU for <dnsext@core3.amsl.com>; Thu, 17 Mar 2011 09:37:15 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id 46CAE3A6A9B for <dnsext@ietf.org>; Thu, 17 Mar 2011 09:22:50 -0700 (PDT)
Received: from Work-Laptop-2.local (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p2HGNoix053056; Thu, 17 Mar 2011 12:23:51 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.200.117] by Work-Laptop-2.local (PGP Universal service); Thu, 17 Mar 2011 12:23:59 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Thu, 17 Mar 2011 12:23:59 -0400
Mime-Version: 1.0
Message-Id: <a06240802c9a7e0807069@[10.31.200.117]>
In-Reply-To: <AANLkTin+hMZ-27VjkQq7_44zNguMiefhxbgGD+-XZxPP@mail.gmail.com>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE51293.5040605@nlnetlabs.nl> <a06240801c9101620d463@192.168.128.163> <22284.1290447209@nsa.vix.com> <4CF4D54B.5000407@nlnetlabs.nl> <20110310223438.978E9C0E902@drugs.dv.isc.org> <4D79DDFA.3010006@nlnetlabs.nl> <alpine.BSF.2.00.1103140901170.99213@fledge.watson.org> <20110314213319.A2799C8CA0B@drugs.dv.isc.org> <alpine.BSF.2.00.1103141750530.74870@fledge.watson.org> <a06240800c9a50cf4632a@10.31.200.110> <AANLkTimUUa5zkr+hZH4jR-euENg_n=9EwtRVBN-cxr9_@mail.gmail.com> <a06240802c9a7b6cb4cc3@192.168.1.105> <AANLkTin+hMZ-27VjkQq7_44zNguMiefhxbgGD+-XZxPP@mail.gmail.com>
Date: Thu, 17 Mar 2011 12:19:07 -0400
To: Casey Deccio <casey@deccio.net>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2011 16:37:16 -0000

At 8:46 -0700 3/17/11, Casey Deccio wrote:

>My apologies for the misinterpretation.  Even with the clear context of
>your opinion, I somehow got lost with your opening paragraph of your example.

Ok, again...(not frustrated that you misinterpreted, frustrated that 
I didn't remove enough pronouns)

The reason for the specification is to set the expectation of the 
validator (the receiving end).  The specification requires the signer 
(the sending end) to generate and publish at least one signature of 
each algorithm listed in the zone's DS record set.  Because of this 
rule the validator can expect that a signature by a specific 
algorithm the validator wants to use for a set of data in the zone 
will be available if listed in the DS record set.  With this 
expectation, if the validator receives a data set from the zone and 
cannot obtain a signature, then the validator is to declare a 
protocol failure.  The validator does not need the other signatures, 
therefore should not waste time evaluating them.  These other 
signatures might be important to other validators.


What I didn't explain this time is why the DS record set is important 
to all of this.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"

v2.23.0 | Report a Bug | By Email