IETF Logo Mail Archive

Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?

Mark Andrews <marka@isc.org> Mon, 26 March 2012 00:52 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 738BD21E805E; Sun, 25 Mar 2012 17:52:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332723120; bh=xGdHcvkjZ2q20djMfsMx04gcgWzCNsEzTQBp/Re8qpI=; h=From:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=bHJ9GEbGh/jai74AlCQ7c0iajBmgljR46YyFxRkjJawLc8VxEH8qezbDfabiC0pZe OeUHwudjOLg9aofLbgoZej10zuam3/4mA3eeVjJlP2S6sO1A0fY1qmMfNA+QtuI991 +qVyBpab6eFDH1mavjZGyXGa0i+f8u7xQMucS13s=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B189D21E805E for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:51:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[AWL=-0.587, BAYES_00=-2.599, MISSING_HEADERS=1.292]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWyiCexwzLch for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:51:59 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 2F0C621E8018 for <dnsext@ietf.org>; Sun, 25 Mar 2012 17:51:59 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 7D1B35F98B7; Mon, 26 Mar 2012 00:51:45 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:5cb:e520:9c28:3efd]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 89166216C33; Mon, 26 Mar 2012 00:51:43 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 51C041F083DE; Mon, 26 Mar 2012 11:51:41 +1100 (EST)
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Mon, 26 Mar 2012 11:37:47 +1100."
Date: Mon, 26 Mar 2012 11:51:40 +1100
Message-Id: <20120326005141.51C041F083DE@drugs.dv.isc.org>
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>, Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

Mark Andrews writes:
> 
> In message <4F6CE5E0.1090309@ogud.com>, Olafur Gudmundsson writes:
> > On 23/03/2012 14:23, Tony Finch wrote:
> > > Olafur Gudmundsson<ogud@ogud.com>  wrote:
> > >>
> > >> The zone seems to be in compliance with the list in RFC4035 section 2.2 
> i.
> > e.
> > >> there exists a valid signature by a key in the DNSKEY RRset.
> > >> But in the final paragraph that seems to be contradicted and does
> > >> require the a signing key for all algorithms to be in the DNSKEY RRset.
> > >
> > > I believe the consensus is that that requirement applies to the signer
> > > not the validator.
> > >
> > >> What algorithms can a validator use to validate records from a zone
> > >>    2) any algorithm in the validated DNSKEY RRset
> > >
> > > Tony.
> > 
> > but the validator needs to take into account what the signer is 
> > allowed/required to do we cannot have totally disjoint 
> > requirements/assumptions.
> 
> We don't have disjoint requirement.  The DS records / configured
> trust anchors for the zone set up a expection for the zones contents
> by listing the algorithms that are expected to work.  The signer
> meets those expections by ensuring that each RRset is signed as
> described.  This takes in to account the affects of caching associated
> with introducing new signing algorithm to a zone.

The "must sign with every algorithm in the DNSKEY RRset" was a
*simple* rule for the *signer* to follow to ensure that there
wouldn't be validation failures.  We could have written a much more
complicated rule about when a signature was required or not but it
would have been complicated to describe and would likely not be
implemented properly.

> It is NOT the signers job to check that every RRSIG set contains
> every algorithm listed in the DNSKEY RRset as the contents of these
> can and often will be from different versions of the zone signed
> at different times.  If the validator is paranoid it MAY check every
> algorithm listed in the DS RRset/trust anchors is present and it
> MAY ignore algorithms not in the DS RRset/trust anchors.
> 
> The validator however MUST NOT check that every algorithm listed
> in the DNSKEY RRset is present in every RRSIG set.
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email