Re: [dnsext] Clarifying the mandatory algorithm rules

Samuel Weiler <weiler@watson.org> Thu, 10 March 2011 19:17 UTC

Return-Path: <weiler@watson.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 55B643A6A49 for <dnsext@core3.amsl.com>; Thu, 10 Mar 2011 11:17:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.742
X-Spam-Level:
X-Spam-Status: No, score=-2.742 tagged_above=-999 required=5 tests=[AWL=-0.143, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ys2KqG0WCWJo for <dnsext@core3.amsl.com>; Thu, 10 Mar 2011 11:17:13 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 681D73A6A29 for <dnsext@ietf.org>; Thu, 10 Mar 2011 11:17:13 -0800 (PST)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id p2AJIUBt093608 for <dnsext@ietf.org>; Thu, 10 Mar 2011 14:18:31 -0500 (EST) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id p2AJIUxJ093605 for <dnsext@ietf.org>; Thu, 10 Mar 2011 14:18:30 -0500 (EST) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Thu, 10 Mar 2011 14:18:30 -0500 (EST)
From: Samuel Weiler <weiler@watson.org>
To: dnsext@ietf.org
In-Reply-To: <4CF4D54B.5000407@nlnetlabs.nl>
Message-ID: <alpine.BSF.2.00.1103100812260.60284@fledge.watson.org>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE51293.5040605@nlnetlabs.nl> <a06240801c9101620d463@[192.168.128.163]> <22284.1290447209@nsa.vix.com> <4CF4D54B.5000407@nlnetlabs.nl>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 10 Mar 2011 14:18:31 -0500 (EST)
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 19:17:14 -0000

On Tue, 30 Nov 2010, W.C.A. Wijngaards wrote:

> It is clear that checking the set of algorithms present in the DNSKEY
> set is not a good idea, and checking the set of algorithms from the DS
> set is the right, more lenient way to go.

I apologize for checking out of this discussion last fall.

I would like the WG's help understanding where you want to go with 
this topic.  I don't fully understand the argument in favor of not 
checking the algorithms on the child side of the zone cut (= the ones 
in the DNSKEY RRset), nor am I sure that was the direction everyone 
seemed to want to go.  Could someone summarize the current state of 
this?

My own inclination is (still) to treat this as a clarification, saying 
that validators are not required to enforce these rules.  (In other 
words, the extra checks Unbound did were just fine, though 
unnecessary.  BIND's lenient approach was also fine.)  Two specific 
pieces of proposed text can be found in the first message in this 
thread, dated 18 November 2010.

-- Sam