Re: [dnsext] Clarifying the mandatory algorithm rules

[Jelte Jansen <jelte@isc.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/18/2010 12:02 PM, Samuel Weiler wrote:
> 
> CZNIC published a DNSKEY for a "new" algorithm without simultaneously
> publishing the corresponding RRSIGs.  Unbound started rejecting answers
> from .cz because the zone didn't also include the new RRSIGs, even
> though Unbound fully supported the old algorithm and the RRSIGs for that
> old algorithm were present in the zone.
> 
> These rules are indeed for zone operators and/or signers and do not need
> to be enforced by a validator.  While I haven't worked through the

So what you're saying is that validators should not check for something
because the signer (or the operator) might not be following the spec and
that may break stuff?

Or, more generally, why say that you MUST do a, then say that you
SHOULD/MAY NOT check whether A was done?

IMHO, we should either do downgrade protection for all cases (which is
how i interpret the rfc too, and yes i am aware that this makes
algorithm rolls a PITA, but see below), and not just a specific subset,
or leave it out completely.

btw. the 'loose' interpretation would still make the hypothetical case
fail where the *old* algorithm is not supported by a validator, but the
new one is. And if algorithms are going to be obsoleted, perhaps that
case will not be that hypothetical in the future. But perhaps that is
exactly why that text is there (and why, whether or not validators check
for it, the procedure that triggered this round of discussion was still
wrong).

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzlOSYACgkQ4nZCKsdOncUrkwCfUskCLn2WsKjpCVMkYl09bAO1
aNYAoN2QD1vBczvhOEEdvtFnd9UYOIbj
=HXF4
-----END PGP SIGNATURE-----