Re: [DNSOP] draft-ietf-dnsop-algorithm-update
Mark Andrews <marka@isc.org> Fri, 12 April 2019 15:31 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58A2A12081C for <dnsop@ietfa.amsl.com>; Fri, 12 Apr 2019 08:31:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KRVRh5At6T9d for <dnsop@ietfa.amsl.com>; Fri, 12 Apr 2019 08:31:21 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E48812080E for <dnsop@ietf.org>; Fri, 12 Apr 2019 08:31:13 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id E1B433AB066; Fri, 12 Apr 2019 15:31:12 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id CF1AD16003E; Fri, 12 Apr 2019 15:31:12 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A3E3616005C; Fri, 12 Apr 2019 15:31:12 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id j4Ro-NvPTpwC; Fri, 12 Apr 2019 15:31:12 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 013A516003E; Fri, 12 Apr 2019 15:31:11 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <ec7ed79a-ae9c-bf6e-3ce7-1b529aa894fa@nthpermutation.com>
Date: Sat, 13 Apr 2019 01:31:09 +1000
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4CD31719-BC63-4038-9FD0-580B4C04BB64@isc.org>
References: <ec7ed79a-ae9c-bf6e-3ce7-1b529aa894fa@nthpermutation.com>
To: Michael StJohns <msj@nthpermutation.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/258HHymklt84mBpajPk_QP1xQhs>
Subject: Re: [DNSOP] draft-ietf-dnsop-algorithm-update
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2019 15:31:27 -0000
Well given that the actual rule is all the algorithms listed in the DS RRset rather than DNSKEY RRset and is designed to ensure that there is always a signature present for each of the algorithms that could be used be used to declare that the child zone is treated as secure, the answer is NO. Mark > On 13 Apr 2019, at 1:05 am, Michael StJohns <msj@nthpermutation.com> wrote: > > Hi - > > I had someone ask me (last night!!) whether or not the "must sign each RRSet with all of the algorithms in the DNSKEY RRSet" rule applies if the only key with algorithm A in the RRSet has the revoke bit set. A question I had never previously considered. > > Given that you can't trace trust through that revoked key, and any RRSig originated by that key is just extraneous bits, I came to three conclusions: 1) A key must not be counted for the purposes of the rule if it has the (RFC5011) revoke bit set, (s) the only RRSigs created by a revoked key are over the DNSKEY RRSet and 3) it's possible/probable that interpretations could differ. > > I tagged this email with the algorithm update ID/RFC candidate because about the only time you're going to see a revoked singleton key of a given algorithm is when you're transitioning the algorithms for the zone. > > I hesitate to ask - and apologize for asking given the late date for this document, but should the statements (1) and (2) above or something similar be included in this document for completeness? > > Alternatively, what breaks if publishers omit the extraneous signatures just because? > > Later, Mike > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] draft-ietf-dnsop-algorithm-update Michael StJohns
- Re: [DNSOP] draft-ietf-dnsop-algorithm-update Mark Andrews
- Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-… Edward Lewis
- Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-… Mark Andrews
- Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-… Edward Lewis
- Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-… Mark Andrews
- Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-… Mark Andrews