IETF Logo Mail Archive

[dnsext] Validator assumptions: what algorithms need to properly sign a zone?

Olafur Gudmundsson <ogud@ogud.com> Fri, 23 March 2012 15:42 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BB1021F8568; Fri, 23 Mar 2012 08:42:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332517336; bh=aEAO67e7TNNfzaRxDGZXB3GAPZEfbeBfl47IekrHPYU=; h=Message-ID:Date:From:MIME-Version:To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Transfer-Encoding:Content-Type:Sender; b=xutjPcCL+0/+1fsSZQ3AIg6BOzieq9qxSKAzL9QR8Ka9CMhLp0YP3zMR+E4mR+Jux O0nqPERY068AR3Kcv4f1AidlVh8WNLeycJej7W58V08CQqa33MALQU/8H3fnQtgFww Y8wAL6nxZIjLahk8PKuCRxONPkAWi/HtiPZ76AK8=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 954D921F8568 for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2012 08:42:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.512
X-Spam-Level:
X-Spam-Status: No, score=-106.512 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tQ1eTrlRZabj for <dnsext@ietfa.amsl.com>; Fri, 23 Mar 2012 08:42:10 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 200CD21F8557 for <dnsext@ietf.org>; Fri, 23 Mar 2012 08:42:10 -0700 (PDT)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q2NFg8Wl037363 for <dnsext@ietf.org>; Fri, 23 Mar 2012 11:42:08 -0400 (EDT) (envelope-from ogud@ogud.com)
Message-ID: <4F6C99CB.7080806@ogud.com>
Date: Fri, 23 Mar 2012 11:42:03 -0400
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: "<dnsext@ietf.org>" <dnsext@ietf.org>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Subject: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

Following configuration was detected in the wild recently:
Notation: A is algorithm x
	  B is algorithm y
	  An is key n of algorithm A

Parent:
	DS   1 A1
	DS   2 A1

Child:
	DNSKEY A1,B1      signed by A1 and B1
	SOA               signed by A1 and B1
	all other records signed by A2 and B1

Notice that A2 signs records w/o being in the DNSKEY RRset.

Some validators returned AD others return SERVFAIL for the RRsets signed 
by A2 + B1.
The validators that return AD make the jump from algorithm A to B when 
validating the zone, the ones that SERVFAIL expect that the zone be 
properly signed by algorithm A (which it is not).

Both positions are arguable, but it is bad for resolver vendors to be 
put in this position to argue with customers why they disagree on the 
right answer, and DNSSEC operators need a strong message what is allowed.

In the case of a validator that supports A but not B SERVFAIL is the 
right answer as the zone is not properly signed for that algorithm.
In this particular case the validators supported both algorithms.

Background:
The zone seems to be in compliance with the list in RFC4035 section 2.2 
i.e. there exists a valid signature by a key in the DNSKEY RRset.
But in the final paragraph that seems to be contradicted and does
require the a signing key for all algorithms to be in the DNSKEY RRset.

Section 5.4 of dnssec-bis seems skirts on this issue.
Section 5.11 of dnssec-bis seems to strongly say that any algorithm in 
the DNSKEY should work:
     without saying what to do if not all the algorithms are supported
or  that at least one algorithm in the DS MUST work.

Some people in this working group have argued that use/order of 
algorithms should be local policy and it is outside the documents scope 
to talk about this, others argue that will lead to unpredictability in 
resolution status.

Fundamental question:
What algorithms can a validator use to validate records from a zone 	
   1) only algorithms in DS RRset
   2) any algorithm in the validated DNSKEY RRset

Doodle poll available at:
	http://www.doodle.com/7v5vmzvaerb2n8sb

Please fill in the poll, chairs will judge if any changes are needed in 
DNSSECbis.

	Olafur
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email