IETF Logo Mail Archive

Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?

Tony Finch <dot@dotat.at> Mon, 26 March 2012 10:00 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F68221F8606; Mon, 26 Mar 2012 03:00:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332756046; bh=HHGNJ1PJ/tmBLGHQ0wp0bpbR2UDub8WpeeKThQ366nU=; h=Date:From:To:In-Reply-To:Message-ID:References:MIME-Version:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=rvyvHEm4ZTfreLwc06LltbMFpGTl/OoJmP3Tc8uG3l0OGfqSFChext1XE/nNx4p7j 7WlAI8z8fa/kGQUr4PsUR9vW5H/v/GTOAyvfrX6KaeU16e3AqBQTeoNOtCK88wny26 aVHnn/I1Luj6kx+xJd3cbuWIflYkyf49ybnx7MoA=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8D0A21F8603 for <dnsext@ietfa.amsl.com>; Mon, 26 Mar 2012 03:00:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.479
X-Spam-Level:
X-Spam-Status: No, score=-6.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W0xZKrkAA1es for <dnsext@ietfa.amsl.com>; Mon, 26 Mar 2012 03:00:41 -0700 (PDT)
Received: from ppsw-41.csi.cam.ac.uk (ppsw-41.csi.cam.ac.uk [131.111.8.141]) by ietfa.amsl.com (Postfix) with ESMTP id 898E421F8606 for <dnsext@ietf.org>; Mon, 26 Mar 2012 03:00:40 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:53389) by ppsw-41.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:25) with esmtpa (EXTERNAL:fanf2) id 1SC6j9-000680-Q4 (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 26 Mar 2012 11:00:39 +0100
Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1SC6j9-0006CZ-1D (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 26 Mar 2012 11:00:39 +0100
Date: Mon, 26 Mar 2012 11:00:39 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <4F6CE5E0.1090309@ogud.com>
Message-ID: <alpine.LSU.2.00.1203261039150.24583@hermes-2.csi.cam.ac.uk>
References: <4F6C99CB.7080806@ogud.com> <alpine.LSU.2.00.1203231822280.24583@hermes-2.csi.cam.ac.uk> <4F6CE5E0.1090309@ogud.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>
Subject: Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

Olafur Gudmundsson <ogud@ogud.com> wrote:
> On 23/03/2012 14:23, Tony Finch wrote:
> > Olafur Gudmundsson<ogud@ogud.com>  wrote:
> > >
> > > The zone seems to be in compliance with the list in RFC4035 section 2.2
> > > i.e.
> > > there exists a valid signature by a key in the DNSKEY RRset.
> > > But in the final paragraph that seems to be contradicted and does
> > > require the a signing key for all algorithms to be in the DNSKEY RRset.
> >
> > I believe the consensus is that that requirement applies to the signer
> > not the validator.
>
> but the validator needs to take into account what the signer is
> allowed/required to do we cannot have totally disjoint
> requirements/assumptions.

They aren't disjoint. I think it makes more sense if who takes what into
account is the opposite way round to what you suggest. The validation
algorithm allows for a lot of flexibility and makes validation possible
despite some kinds of brokenness; the requirements on the signer keep it
well within the range of what validators allow. Robustness principle.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Fisher, German Bight: Northwesterly 3 or 4, increasing 5 or 6 in east Fisher.
Moderate in east Fisher, otherwise slight. Fog patches. Moderate or good,
occasionally very poor.
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email