Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
Mark Andrews <marka@isc.org> Mon, 26 March 2012 00:56 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F9FA21E8064; Sun, 25 Mar 2012 17:56:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332723390; bh=sSTX8V6mfkf7+nomRTFRDgmvidHhC03F9szya2H3GLA=; h=From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=Tur0CANMqe8b/7atCKK11nWiiIkWCbfF9YAN1VZ5XV0vsUE0tTfjAKFTk0+J66ojF E8ay5RIAielmCZMLwDBPjUJd8Cay5VnLgrJy+R9Hs/RTpO28bL3hxqcE4zglRYI/tx XvL3zr70JnV4sTJxU1hQmWTvdGeya22peEe4sajw=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F27221E8051 for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:56:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.882
X-Spam-Level:
X-Spam-Status: No, score=-1.882 tagged_above=-999 required=5 tests=[AWL=-0.575, BAYES_00=-2.599, MISSING_HEADERS=1.292]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZLGBKUkbnx9a for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:56:28 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id D25F821E8064 for <dnsext@ietf.org>; Sun, 25 Mar 2012 17:56:27 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id F2DDD5F98B6; Mon, 26 Mar 2012 00:56:12 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:5cb:e520:9c28:3efd]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 07917216C31; Mon, 26 Mar 2012 00:56:11 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 9FEDD1F08557; Mon, 26 Mar 2012 11:56:08 +1100 (EST)
From: Mark Andrews <marka@isc.org>
References: <4F6C99CB.7080806@ogud.com> <alpine.LSU.2.00.1203231822280.24583@hermes-2.csi.cam.ac.uk> <4F6CE5E0.1090309@ogud.com> <20120326003747.C4BB31F082F8@drugs.dv.isc.org>
In-reply-to: Your message of "Mon, 26 Mar 2012 11:37:47 +1100." <20120326003747.C4BB31F082F8@drugs.dv.isc.org>
Date: Mon, 26 Mar 2012 11:56:08 +1100
Message-Id: <20120326005608.9FEDD1F08557@drugs.dv.isc.org>
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>, Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
In message <20120326003747.C4BB31F082F8@drugs.dv.isc.org>, Mark Andrews writes: > > In message <4F6CE5E0.1090309@ogud.com>, Olafur Gudmundsson writes: > > On 23/03/2012 14:23, Tony Finch wrote: > > > Olafur Gudmundsson<ogud@ogud.com> wrote: > > >> > > >> The zone seems to be in compliance with the list in RFC4035 section 2.2 > i. > > e. > > >> there exists a valid signature by a key in the DNSKEY RRset. > > >> But in the final paragraph that seems to be contradicted and does > > >> require the a signing key for all algorithms to be in the DNSKEY RRset. > > > > > > I believe the consensus is that that requirement applies to the signer > > > not the validator. > > > > > >> What algorithms can a validator use to validate records from a zone > > >> 2) any algorithm in the validated DNSKEY RRset > > > > > > Tony. > > > > but the validator needs to take into account what the signer is > > allowed/required to do we cannot have totally disjoint > > requirements/assumptions. > > We don't have disjoint requirement. The DS records / configured > trust anchors for the zone set up a expection for the zones contents > by listing the algorithms that are expected to work. The signer > meets those expections by ensuring that each RRset is signed as > described. This takes in to account the affects of caching associated > with introducing new signing algorithm to a zone. > > It is NOT the signers job to check that every RRSIG set contains s/signers/validator's/ > every algorithm listed in the DNSKEY RRset as the contents of these > can and often will be from different versions of the zone signed > at different times. If the validator is paranoid it MAY check every > algorithm listed in the DS RRset/trust anchors is present and it > MAY ignore algorithms not in the DS RRset/trust anchors. > > The validator however MUST NOT check that every algorithm listed > in the DNSKEY RRset is present in every RRSIG set. > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] Validator assumptions: what algorithms n… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis