Re: [DNSOP] DS records and validating resolvers
Ólafur Guðmundsson <olafur@cloudflare.com> Thu, 14 July 2016 16:33 UTC
Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90A1012D125 for <dnsop@ietfa.amsl.com>; Thu, 14 Jul 2016 09:33:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0UcUFx4tP0s for <dnsop@ietfa.amsl.com>; Thu, 14 Jul 2016 09:33:03 -0700 (PDT)
Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC76F12D0E9 for <dnsop@ietf.org>; Thu, 14 Jul 2016 09:33:02 -0700 (PDT)
Received: by mail-it0-x232.google.com with SMTP id h190so76676660ith.1 for <dnsop@ietf.org>; Thu, 14 Jul 2016 09:33:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YzZu9gJahowfI924HMC5sHJS60UOgDB/15h0CX7yjPA=; b=fVxKuAavqVCtnJmWKeK0E2BtjmvDCxIzhMsvAFtKT/anO3C7sznqB+hVx8bG9E8c4p sx9/LN1J5PCIcirknF15oiwWSjHEDOEX92TqD6t8NBValJRWAmF7Rd8KeQ08QsfHGb0V nz62cXDzAeYvBRot38JK9fEBMEO5Jpyn6Q5aA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YzZu9gJahowfI924HMC5sHJS60UOgDB/15h0CX7yjPA=; b=T/2q1OHj7idBQK4g9C/LPnDPBeq9QvWRs02TxmUkmlRuEbtjiVWrGdmnBhXzOXAvtL Sa1oA9pO9CviJ6f1CElF0d2lHXQ8ioAhHkshHqnJ5IaxtcTkyufRZ/oEfSYwCH18FvLA heoPkWF73I4j/PYIAdKCoW+8ySHyFJKMpr1xRZ8ZxjQTItvMpog1QNHBYTc6ggfRpg2O fHHUdPlKXZt6ymEU34oKB+Y14Tgg0bhvbXs3GqppAfC6dDYq5+/aSyH4VSF4hXNPCxuv /sLHF9J2O/Ke91XMEXZ0b/ZWse5J3PZzBg6r71CfUfHm5Ut0SOpGoCfV4Lf0VPO7dXLB YqrA==
X-Gm-Message-State: ALyK8tLOuB4DPyazHYjjvAvZHXIxD8Nt0gujHZHVQ01LelrrOS7vwWttR/Sn4CuiZp2paMgVTnRdjD0vBJqFqHFB
X-Received: by 10.36.43.131 with SMTP id h125mr15984190ita.89.1468513982224; Thu, 14 Jul 2016 09:33:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.159.6 with HTTP; Thu, 14 Jul 2016 09:33:01 -0700 (PDT)
In-Reply-To: <0646A536-E169-4CC3-B61A-C43880EC42B2@isnic.is>
References: <0646A536-E169-4CC3-B61A-C43880EC42B2@isnic.is>
From: Ólafur Guðmundsson <olafur@cloudflare.com>
Date: Thu, 14 Jul 2016 12:33:01 -0400
Message-ID: <CAN6NTqydVWmxLjD0FFy6jnLNWqOTaHuTQqhYRgJxaeDL=irqWg@mail.gmail.com>
To: Einar Bjarni Halldórsson <einar@isnic.is>
Content-Type: multipart/alternative; boundary="001a1146ec3c423a5b05379b0e45"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0rbLMbAAvADu6diHp2HJ5vOIPOw>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] DS records and validating resolvers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2016 16:33:04 -0000
One DS +DNSKEY is sufficient, others are ignored as they can be for past or future keys. The only exception is when the DS records are for multiple algorithms some implementations demand that all algorithms are working Olafur On Thu, Jul 14, 2016 at 12:20 PM, Einar Bjarni Halldórsson <einar@isnic.is> wrote: > Hi, > > I’ve looked and could not find an answer to my question anywhere. > > If there are multiple DS records in a parent, with different key tags, > where only one of the DS records has a corresponding DNSKEY record in the > child zone that correctly signs the DNSKEY RRSET, will validating resolvers > ignore the other DS records or could they cause responses from the child to > become invalid? > > .einar > ISNIC > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- Re: [DNSOP] DS records and validating resolvers Tony Finch
- Re: [DNSOP] DS records and validating resolvers Ólafur Guðmundsson
- [DNSOP] DS records and validating resolvers Einar Bjarni Halldórsson