Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
Mark Andrews <marka@isc.org> Mon, 26 March 2012 00:52 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 738BD21E805E; Sun, 25 Mar 2012 17:52:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332723120; bh=xGdHcvkjZ2q20djMfsMx04gcgWzCNsEzTQBp/Re8qpI=; h=From:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=bHJ9GEbGh/jai74AlCQ7c0iajBmgljR46YyFxRkjJawLc8VxEH8qezbDfabiC0pZe OeUHwudjOLg9aofLbgoZej10zuam3/4mA3eeVjJlP2S6sO1A0fY1qmMfNA+QtuI991 +qVyBpab6eFDH1mavjZGyXGa0i+f8u7xQMucS13s=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B189D21E805E for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:51:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[AWL=-0.587, BAYES_00=-2.599, MISSING_HEADERS=1.292]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWyiCexwzLch for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:51:59 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 2F0C621E8018 for <dnsext@ietf.org>; Sun, 25 Mar 2012 17:51:59 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 7D1B35F98B7; Mon, 26 Mar 2012 00:51:45 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:5cb:e520:9c28:3efd]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 89166216C33; Mon, 26 Mar 2012 00:51:43 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 51C041F083DE; Mon, 26 Mar 2012 11:51:41 +1100 (EST)
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Mon, 26 Mar 2012 11:37:47 +1100."
Date: Mon, 26 Mar 2012 11:51:40 +1100
Message-Id: <20120326005141.51C041F083DE@drugs.dv.isc.org>
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>, Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
Mark Andrews writes: > > In message <4F6CE5E0.1090309@ogud.com>, Olafur Gudmundsson writes: > > On 23/03/2012 14:23, Tony Finch wrote: > > > Olafur Gudmundsson<ogud@ogud.com> wrote: > > >> > > >> The zone seems to be in compliance with the list in RFC4035 section 2.2 > i. > > e. > > >> there exists a valid signature by a key in the DNSKEY RRset. > > >> But in the final paragraph that seems to be contradicted and does > > >> require the a signing key for all algorithms to be in the DNSKEY RRset. > > > > > > I believe the consensus is that that requirement applies to the signer > > > not the validator. > > > > > >> What algorithms can a validator use to validate records from a zone > > >> 2) any algorithm in the validated DNSKEY RRset > > > > > > Tony. > > > > but the validator needs to take into account what the signer is > > allowed/required to do we cannot have totally disjoint > > requirements/assumptions. > > We don't have disjoint requirement. The DS records / configured > trust anchors for the zone set up a expection for the zones contents > by listing the algorithms that are expected to work. The signer > meets those expections by ensuring that each RRset is signed as > described. This takes in to account the affects of caching associated > with introducing new signing algorithm to a zone. The "must sign with every algorithm in the DNSKEY RRset" was a *simple* rule for the *signer* to follow to ensure that there wouldn't be validation failures. We could have written a much more complicated rule about when a signature was required or not but it would have been complicated to describe and would likely not be implemented properly. > It is NOT the signers job to check that every RRSIG set contains > every algorithm listed in the DNSKEY RRset as the contents of these > can and often will be from different versions of the zone signed > at different times. If the validator is paranoid it MAY check every > algorithm listed in the DS RRset/trust anchors is present and it > MAY ignore algorithms not in the DS RRset/trust anchors. > > The validator however MUST NOT check that every algorithm listed > in the DNSKEY RRset is present in every RRSIG set. > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] Validator assumptions: what algorithms n… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis