Re: [dnsext] DS digest downgrade
Francis Dupont <Francis.Dupont@fdupont.fr> Mon, 21 March 2011 23:37 UTC
Return-Path: <Francis.Dupont@fdupont.fr>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C4CA128C0FD for <dnsext@core3.amsl.com>; Mon, 21 Mar 2011 16:37:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.231
X-Spam-Level:
X-Spam-Status: No, score=-3.231 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BMPbDrKh+wlL for <dnsext@core3.amsl.com>; Mon, 21 Mar 2011 16:37:39 -0700 (PDT)
Received: from givry.fdupont.fr (givry.fdupont.fr [91.121.26.85]) by core3.amsl.com (Postfix) with ESMTP id 402F73A6912 for <dnsext@ietf.org>; Mon, 21 Mar 2011 16:37:08 -0700 (PDT)
Received: from givry.fdupont.fr (localhost [127.0.0.1]) by givry.fdupont.fr (8.14.3/8.14.3) with ESMTP id p2LNceH6051081; Tue, 22 Mar 2011 00:38:40 +0100 (CET) (envelope-from dupont@givry.fdupont.fr)
Message-Id: <201103212338.p2LNceH6051081@givry.fdupont.fr>
From: Francis Dupont <Francis.Dupont@fdupont.fr>
To: George Barwood <george.barwood@blueyonder.co.uk>
In-reply-to: Your message of Mon, 21 Mar 2011 23:13:00 GMT. <51C21B4C57014630B72B50B919271C89@local>
Date: Tue, 22 Mar 2011 00:38:40 +0100
Sender: Francis.Dupont@fdupont.fr
Cc: dnsext@ietf.org
Subject: Re: [dnsext] DS digest downgrade
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2011 23:37:39 -0000
In your previous mail you wrote: i.e. the zone is using SHA1 DS records, admin generates new KSK, publishes SHA256 DS for the new KSK but doesn't publish SHA256 DS for the old KSK, leading to validat ion failures. => this should never happen as the rule is in fact for the replacement of SHA1 by SHA256 as the DS digest algorithm. But don't believe we are saved: there are other DS digest algos (and even more to come) and the mixed algo case is dangerously under-specified... Regards Francis.Dupont@fdupont.fr
- Re: [dnsext] DS digest downgrade Derek Atkins
- [dnsext] DS digest downgrade George Barwood
- Re: [dnsext] DS digest downgrade Mark Andrews
- Re: [dnsext] DS digest downgrade George Barwood
- Re: [dnsext] DS digest downgrade Francis Dupont
- Re: [dnsext] DS digest downgrade Edward Lewis
- Re: [dnsext] DS digest downgrade Mark Andrews
- Re: [dnsext] DS digest downgrade George Barwood
- Re: [dnsext] DS digest downgrade Wes Hardaker
- Re: [dnsext] DS digest downgrade Michael Graff
- Re: [dnsext] DS digest downgrade Wes Hardaker
- Re: [dnsext] DS digest downgrade Andrew Sullivan
- Re: [dnsext] DS digest downgrade Francis Dupont
- Re: [dnsext] DS digest downgrade Joe Abley
- Re: [dnsext] DS digest downgrade Wes Hardaker
- Re: [dnsext] DS digest downgrade Andrew Sullivan
- Re: [dnsext] DS digest downgrade Wes Hardaker
- Re: [dnsext] DS digest downgrade Matt McCutchen
- Re: [dnsext] DS digest downgrade Mark Andrews
- Re: [dnsext] DS digest downgrade Matt McCutchen
- Re: [dnsext] DS digest downgrade Mark Andrews