Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
Samuel Weiler <weiler@watson.org> Fri, 23 March 2012 18:13 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F109B21F866A; Fri, 23 Mar 2012 11:13:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332526404; bh=ConbulncfeRmRNiRS3aq8UiAqyB3o9fBUpDGRqPa+AU=; h=Date:From:To:In-Reply-To:Message-ID:References:MIME-Version:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=ORhECFcUvfXsyvVMzER2uAhCOC/l+KkC+z9ITmKGs/wS/TQfOSHdaeTAW3QdeTjDj PSoF9oqCYyImJmh73pDNo0za0b++dZndLmKZMU/3mtBsJWoOOSW7MkUYXBiw2ElsTu xPD3lHVnGYh9zJkxJBwFWmugl1VXC4rkBwxIHWIo=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8443021F866A for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2012 11:13:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.489
X-Spam-Level:
X-Spam-Status: No, score=-2.489 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ihGxEy-8bjKg for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2012 11:13:18 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3B621F864F for <dnsext@ietf.org>; Fri, 23 Mar 2012 11:13:18 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id q2NIDGL0059241; Fri, 23 Mar 2012 14:13:16 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id q2NIDGkI059237; Fri, 23 Mar 2012 14:13:16 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Fri, 23 Mar 2012 14:13:16 -0400
From: Samuel Weiler <weiler@watson.org>
To: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <4F6C99CB.7080806@ogud.com>
Message-ID: <alpine.BSF.2.00.1203231353220.21503@fledge.watson.org>
References: <4F6C99CB.7080806@ogud.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Fri, 23 Mar 2012 14:13:16 -0400 (EDT)
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>
Subject: Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
Reordering Olafur's message. On Fri, 23 Mar 2012, Olafur Gudmundsson wrote: > Fundamental question: > What algorithms can a validator use to validate records from a zone > 1) only algorithms in DS RRset > 2) any algorithm in the validated DNSKEY RRset I'm not sure how you got to that as the final question, but it's an easy one to answer: #2. We decided to have algorithm signalling happening in BOTH the DS RRset and the DNSKEY RRset. The DNSKEY RRset can add algorithms but not remove them. It sounds like what you're trying to ask, though, is "MUST a resolver try all algorithms, even to the point of jumping between algorithms?". bis-updates 5.4 says SHOULD, not MUST, without explictly saying anything about jumping between algorithms. There is going to be unpredictability in this case. Some resolvers won't support B, whether through implementation choice or configuration choice (B might be weak, hence turned off). And it's probably sane, though certainly not necessary, for a validator to impose a no-alogrithm-jumping rule. Hence limiting 5.4 to a SHOULD, not a MUST. > Doodle poll available at: > http://www.doodle.com/7v5vmzvaerb2n8sb A Doodle poll seems like a poor tool for something such as this. > Section 5.11 of dnssec-bis seems to strongly say that any algorithm in the > DNSKEY should work: > without saying what to do if not all the algorithms are supported > or that at least one algorithm in the DS MUST work. Both this and 4035 section 2.2 may not explicitly say "and the chain of trust has to work within each algorithm". Is that not said or implied elsewhere? Are these sections really so ambiguous that we need to clarify them? Please re-read bis-updates 5.11 and ponder. -- Sam _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] Validator assumptions: what algorithms n… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis