IETF Logo Mail Archive

Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?

Mark Andrews <marka@isc.org> Mon, 26 March 2012 00:56 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F9FA21E8064; Sun, 25 Mar 2012 17:56:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332723390; bh=sSTX8V6mfkf7+nomRTFRDgmvidHhC03F9szya2H3GLA=; h=From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=Tur0CANMqe8b/7atCKK11nWiiIkWCbfF9YAN1VZ5XV0vsUE0tTfjAKFTk0+J66ojF E8ay5RIAielmCZMLwDBPjUJd8Cay5VnLgrJy+R9Hs/RTpO28bL3hxqcE4zglRYI/tx XvL3zr70JnV4sTJxU1hQmWTvdGeya22peEe4sajw=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F27221E8051 for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:56:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.882
X-Spam-Level:
X-Spam-Status: No, score=-1.882 tagged_above=-999 required=5 tests=[AWL=-0.575, BAYES_00=-2.599, MISSING_HEADERS=1.292]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZLGBKUkbnx9a for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:56:28 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id D25F821E8064 for <dnsext@ietf.org>; Sun, 25 Mar 2012 17:56:27 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id F2DDD5F98B6; Mon, 26 Mar 2012 00:56:12 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:5cb:e520:9c28:3efd]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 07917216C31; Mon, 26 Mar 2012 00:56:11 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 9FEDD1F08557; Mon, 26 Mar 2012 11:56:08 +1100 (EST)
From: Mark Andrews <marka@isc.org>
References: <4F6C99CB.7080806@ogud.com> <alpine.LSU.2.00.1203231822280.24583@hermes-2.csi.cam.ac.uk> <4F6CE5E0.1090309@ogud.com> <20120326003747.C4BB31F082F8@drugs.dv.isc.org>
In-reply-to: Your message of "Mon, 26 Mar 2012 11:37:47 +1100." <20120326003747.C4BB31F082F8@drugs.dv.isc.org>
Date: Mon, 26 Mar 2012 11:56:08 +1100
Message-Id: <20120326005608.9FEDD1F08557@drugs.dv.isc.org>
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>, Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <20120326003747.C4BB31F082F8@drugs.dv.isc.org>, Mark Andrews writes:
> 
> In message <4F6CE5E0.1090309@ogud.com>, Olafur Gudmundsson writes:
> > On 23/03/2012 14:23, Tony Finch wrote:
> > > Olafur Gudmundsson<ogud@ogud.com>  wrote:
> > >>
> > >> The zone seems to be in compliance with the list in RFC4035 section 2.2 
> i.
> > e.
> > >> there exists a valid signature by a key in the DNSKEY RRset.
> > >> But in the final paragraph that seems to be contradicted and does
> > >> require the a signing key for all algorithms to be in the DNSKEY RRset.
> > >
> > > I believe the consensus is that that requirement applies to the signer
> > > not the validator.
> > >
> > >> What algorithms can a validator use to validate records from a zone
> > >>    2) any algorithm in the validated DNSKEY RRset
> > >
> > > Tony.
> > 
> > but the validator needs to take into account what the signer is 
> > allowed/required to do we cannot have totally disjoint 
> > requirements/assumptions.
> 
> We don't have disjoint requirement.  The DS records / configured
> trust anchors for the zone set up a expection for the zones contents
> by listing the algorithms that are expected to work.  The signer
> meets those expections by ensuring that each RRset is signed as
> described.  This takes in to account the affects of caching associated
> with introducing new signing algorithm to a zone.
> 
> It is NOT the signers job to check that every RRSIG set contains
	s/signers/validator's/
> every algorithm listed in the DNSKEY RRset as the contents of these
> can and often will be from different versions of the zone signed
> at different times.  If the validator is paranoid it MAY check every
> algorithm listed in the DS RRset/trust anchors is present and it
> MAY ignore algorithms not in the DS RRset/trust anchors.
> 
> The validator however MUST NOT check that every algorithm listed
> in the DNSKEY RRset is present in every RRSIG set.
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email