Re: [dnsext] Clarifying the mandatory algorithm rules

[Edward Lewis <Ed.Lewis@neustar.biz>]

I should add...just because "there's supposed to be X" doesn't mean X 
has to be there.  If I'm looking for X and it's not there, we have a 
failure.  If I'm not looking for X and it is not there, "no harm, no 
foul."  (The latter is the same as not needing X and it's there 
anyway.)

At 12:59 -0400 3/18/11, Edward Lewis wrote:
>At 9:36 -0700 3/18/11, Casey Deccio wrote:
>
>
>>Okay, so the signer sets the expectation of the validator using the
>>algorithms in the DS RRset.  Now, does this expectation hold for
>>simply authenticating the DNSKEY RRset or for all zone data?
>
>No, the specification sets expectations.  I don't mean to be a pain, 
>but the first words say this: "The reason for the specification is 
>to set the expectation."  I mean that in the strictest sense.  The 
>validator knows there's supposed to be X because the spec says so.
>
>>For example:
>>
>>- DS RRset has only algorithm 5
>>- DNSKEY RRset signed by a DNSKEY matching the DS (alg 5)
>>- DNSKEY RRset contains DNSKEYs with algs 5 and 3
>>- DNSKEY with alg 3 signs A RRset.
>>
>>Is there a valid chain to the A RRset, or is it a protocol failure?
>
>Depends.  If the validator knows both 3 and 5, then it can build a 
>chain and it's cool.  If the validator only knows 5, then there's a 
>missing piece.  If the validator only knows 3, there's no chain to 
>the data.
>
>In summary:
>Validator knows 3 & 5 - validates
>Validator knows only 3 - data is accepted as not-signed.
>Validator knows only 5 - service failure as *expected* signature is not found*
>Validator doesn't to 3 & 5 - accepted as not-signed
>Validator doesn't do DNSSEC - accepted as not-signed
>
>*not found = not obtainable, can't get it, ...
>
>>Following the principle of "if one chain works, it succeeds", I would say
>>that it is valid.  But it's unclear whether this is part of the expectation
>>of the signer for the validator, and even the paragraph quoted above seems
>>to declare it a protocol failure--although I well understand your position
>>on principle.  Whether it is valid or not, I believe it should be
>>worded explicitly to avoid ambiguity and accurately convey principle.
>
>It is always up to the validator to decide if it accepts the data. 
>Local policy and DNSSEC is about protecting the cache.  DNSSEC is 
>NOT designed to enforce proper operations, it is NOT to force the 
>zone admin into doing anything.  Remember, DNSSEC is optional to the 
>protocol, it's the validators that want to pull the data for 
>protection.
>
>--
>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>Edward Lewis
>NeuStar                    You can leave a voice message at +1-571-434-5468
>
>Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
>Son: "Waah!"
>_______________________________________________
>dnsext mailing list
>dnsext@ietf.org
>https://www.ietf.org/mailman/listinfo/dnsext

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"