[dnsext] Validator assumptions: what algorithms need to properly sign a zone?
Olafur Gudmundsson <ogud@ogud.com> Fri, 23 March 2012 15:42 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BB1021F8568; Fri, 23 Mar 2012 08:42:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332517336; bh=aEAO67e7TNNfzaRxDGZXB3GAPZEfbeBfl47IekrHPYU=; h=Message-ID:Date:From:MIME-Version:To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Transfer-Encoding:Content-Type:Sender; b=xutjPcCL+0/+1fsSZQ3AIg6BOzieq9qxSKAzL9QR8Ka9CMhLp0YP3zMR+E4mR+Jux O0nqPERY068AR3Kcv4f1AidlVh8WNLeycJej7W58V08CQqa33MALQU/8H3fnQtgFww Y8wAL6nxZIjLahk8PKuCRxONPkAWi/HtiPZ76AK8=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 954D921F8568 for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2012 08:42:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.512
X-Spam-Level:
X-Spam-Status: No, score=-106.512 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tQ1eTrlRZabj for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2012 08:42:10 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 200CD21F8557 for <dnsext@ietf.org>; Fri, 23 Mar 2012 08:42:10 -0700 (PDT)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q2NFg8Wl037363 for <dnsext@ietf.org>; Fri, 23 Mar 2012 11:42:08 -0400 (EDT) (envelope-from ogud@ogud.com)
Message-ID: <4F6C99CB.7080806@ogud.com>
Date: Fri, 23 Mar 2012 11:42:03 -0400
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: "<dnsext@ietf.org>" <dnsext@ietf.org>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Subject: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
Following configuration was detected in the wild recently: Notation: A is algorithm x B is algorithm y An is key n of algorithm A Parent: DS 1 A1 DS 2 A1 Child: DNSKEY A1,B1 signed by A1 and B1 SOA signed by A1 and B1 all other records signed by A2 and B1 Notice that A2 signs records w/o being in the DNSKEY RRset. Some validators returned AD others return SERVFAIL for the RRsets signed by A2 + B1. The validators that return AD make the jump from algorithm A to B when validating the zone, the ones that SERVFAIL expect that the zone be properly signed by algorithm A (which it is not). Both positions are arguable, but it is bad for resolver vendors to be put in this position to argue with customers why they disagree on the right answer, and DNSSEC operators need a strong message what is allowed. In the case of a validator that supports A but not B SERVFAIL is the right answer as the zone is not properly signed for that algorithm. In this particular case the validators supported both algorithms. Background: The zone seems to be in compliance with the list in RFC4035 section 2.2 i.e. there exists a valid signature by a key in the DNSKEY RRset. But in the final paragraph that seems to be contradicted and does require the a signing key for all algorithms to be in the DNSKEY RRset. Section 5.4 of dnssec-bis seems skirts on this issue. Section 5.11 of dnssec-bis seems to strongly say that any algorithm in the DNSKEY should work: without saying what to do if not all the algorithms are supported or that at least one algorithm in the DS MUST work. Some people in this working group have argued that use/order of algorithms should be local policy and it is outside the documents scope to talk about this, others argue that will lead to unpredictability in resolution status. Fundamental question: What algorithms can a validator use to validate records from a zone 1) only algorithms in DS RRset 2) any algorithm in the validated DNSKEY RRset Doodle poll available at: http://www.doodle.com/7v5vmzvaerb2n8sb Please fill in the poll, chairs will judge if any changes are needed in DNSSECbis. Olafur _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] Validator assumptions: what algorithms n… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis