IETF Logo Mail Archive

Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?

Samuel Weiler <weiler@watson.org> Fri, 23 March 2012 18:13 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F109B21F866A; Fri, 23 Mar 2012 11:13:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332526404; bh=ConbulncfeRmRNiRS3aq8UiAqyB3o9fBUpDGRqPa+AU=; h=Date:From:To:In-Reply-To:Message-ID:References:MIME-Version:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=ORhECFcUvfXsyvVMzER2uAhCOC/l+KkC+z9ITmKGs/wS/TQfOSHdaeTAW3QdeTjDj PSoF9oqCYyImJmh73pDNo0za0b++dZndLmKZMU/3mtBsJWoOOSW7MkUYXBiw2ElsTu xPD3lHVnGYh9zJkxJBwFWmugl1VXC4rkBwxIHWIo=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8443021F866A for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2012 11:13:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.489
X-Spam-Level:
X-Spam-Status: No, score=-2.489 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ihGxEy-8bjKg for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2012 11:13:18 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3B621F864F for <dnsext@ietf.org>; Fri, 23 Mar 2012 11:13:18 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id q2NIDGL0059241; Fri, 23 Mar 2012 14:13:16 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id q2NIDGkI059237; Fri, 23 Mar 2012 14:13:16 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Fri, 23 Mar 2012 14:13:16 -0400
From: Samuel Weiler <weiler@watson.org>
To: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <4F6C99CB.7080806@ogud.com>
Message-ID: <alpine.BSF.2.00.1203231353220.21503@fledge.watson.org>
References: <4F6C99CB.7080806@ogud.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Fri, 23 Mar 2012 14:13:16 -0400 (EDT)
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>
Subject: Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

Reordering Olafur's message.

On Fri, 23 Mar 2012, Olafur Gudmundsson wrote:

> Fundamental question:
> What algorithms can a validator use to validate records from a zone
>  1) only algorithms in DS RRset
>  2) any algorithm in the validated DNSKEY RRset

I'm not sure how you got to that as the final question, but it's an 
easy one to answer: #2.  We decided to have algorithm signalling 
happening in BOTH the DS RRset and the DNSKEY RRset.  The DNSKEY RRset 
can add algorithms but not remove them.

It sounds like what you're trying to ask, though, is "MUST a resolver 
try all algorithms, even to the point of jumping between algorithms?". 
bis-updates 5.4 says SHOULD, not MUST, without explictly saying 
anything about jumping between algorithms.

There is going to be unpredictability in this case.  Some resolvers 
won't support B, whether through implementation choice or 
configuration choice (B might be weak, hence turned off).  And it's 
probably sane, though certainly not necessary, for a validator to 
impose a no-alogrithm-jumping rule.  Hence limiting 5.4 to a SHOULD, 
not a MUST.

> Doodle poll available at:
> 	http://www.doodle.com/7v5vmzvaerb2n8sb

A Doodle poll seems like a poor tool for something such as this.

> Section 5.11 of dnssec-bis seems to strongly say that any algorithm in the 
> DNSKEY should work:
>    without saying what to do if not all the algorithms are supported
> or  that at least one algorithm in the DS MUST work.

Both this and 4035 section 2.2 may not explicitly say "and the chain 
of trust has to work within each algorithm".  Is that not said or 
implied elsewhere?  Are these sections really so ambiguous that we 
need to clarify them?

Please re-read bis-updates 5.11 and ponder.

-- Sam
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email