IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

Samuel Weiler <weiler@watson.org> Fri, 01 April 2011 14:20 UTC

Return-Path: <weiler@watson.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 72B493A681A for <dnsext@core3.amsl.com>; Fri, 1 Apr 2011 07:20:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.67
X-Spam-Level:
X-Spam-Status: No, score=-2.67 tagged_above=-999 required=5 tests=[AWL=-0.071, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lqopa3EfL5+Y for <dnsext@core3.amsl.com>; Fri, 1 Apr 2011 07:20:18 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 9B4593A67FA for <dnsext@ietf.org>; Fri, 1 Apr 2011 07:20:18 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id p31ELwOM094166 for <dnsext@ietf.org>; Fri, 1 Apr 2011 10:21:58 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id p31ELwJ8094163 for <dnsext@ietf.org>; Fri, 1 Apr 2011 10:21:58 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Fri, 01 Apr 2011 10:21:58 -0400
From: Samuel Weiler <weiler@watson.org>
To: dnsext@ietf.org
In-Reply-To: <a06240800c9bb6f86edae@[10.31.200.112]>
Message-ID: <alpine.BSF.2.00.1104011020190.92106@fledge.watson.org>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE51293.5040605@nlnetlabs.nl> <a06240801c9101620d463@192.168.128.163> <22284.1290447209@nsa.vix.com> <4CF4D54B.5000407@nlnetlabs.nl> <20110310223438.978E9C0E902@drugs.dv.isc.org> <4D79DDFA.3010006@nlnetlabs.nl> <alpine.BSF.2.00.1103140901170.99213@fledge.watson.org> <20110314213319.A2799C8CA0B@drugs.dv.isc.org> <alpine.BSF.2.00.1103141750530.74870@fledge.watson.org> <a06240800c9a50cf4632a@10.31.200.110> <AANLkTimUUa5zkr+hZH4jR-euENg_n=9EwtRVBN-cxr9_@mail.gmail.com> <a06240802c9a7b6cb4cc3@192.168.1.105> <AANLkTin+hMZ-27VjkQq7_44zNguMiefhxbgGD+-XZxPP@mail.gmail.com> <a06240802c9a7e0807069@10.31.200.117> <AANLkTi=4co5mS3RYhK1BvUMOm54wgNAMeKtk3_Zm0ff1@mail.gmail.com> <a06240802c9a93d762e13@[10.31.200.112]> <a06240803c9a9417e1fe8@[10.31.200.112]> <4D938CC3.1020103@nlnetlabs.nl> <a06240800c9ba6184d535@[10.31.200.112]> <4D94DF2B.1040407@nlnetlabs.nl> <a06240800c9bb6f86edae@[10.31.200.112]>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Fri, 01 Apr 2011 10:21:58 -0400 (EDT)
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2011 14:20:19 -0000

As in my last message, Matthijs, Mark Andrews, and I spent some time 
today trying to understand each other.  This is the first of three 
posts trying to capture our understandings.

I believe we're in agreement about the mandatory algorithm rules in
rfc4035 and the general direction in which they should be clarified.
There are two proposals for changing these rules, which I'm describing
in separate notes.  I think we should resolve both now so that we only
have to make the clarification once.  Please respond to each of those
notes separately with your opinions on each.

I'll restate the current (clarified) rules here, though the actual
clarification text will probably look more like what I posted in
November.  Think of this more as a starting point for considering the
two proposals that follow than as final text to be added to
dnssec-bis-updates.

    The DS RRset and DNSKEY RRset are used to signal which algorithms
    are used to sign a zone.  The pressence of an algorithm in a zone's
    DS or DNSKEY RRset set signals that that algorithm is used to sign
    the entire zone.

    When signed, a zone MUST include a DNSKEY for each algorithm
    present in the zone's DS RRset and expected trust anchors for the
    zone.  The zone must also be signed with each algorithm (though not
    each key) present in the DNSKEY RRset.  It is possible to add
    algorithms at the DNSKEY that aren't in the DS record, but not
    vice-versa.

    [The above is all clarification -- the below is arguably a change,
    and it's one that would itself be changed by proposal #1.]

    These rules, an indicated by their pressence in second 2 of 4035,
    are rules for zone singers, not rules for validators.  Validators
    SHOULD accept any single valid path.  They SHOULD NOT insist that
    all algorithms signalled in the DS RRset work, and they MUST NOT
    insist that all algorithms signalled in the DNSKEY RRset work.

v2.23.0 | Report a Bug | By Email