IETF Logo Mail Archive

Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?

Mark Andrews <marka@isc.org> Mon, 26 March 2012 00:38 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5517321F844C; Sun, 25 Mar 2012 17:38:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332722303; bh=6TrmgsaZtno8UgykWnldWH0cXmwdS4zlvOoIkmpZZXA=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=eJWQfUInLTcYYlr7dIEu4BMKSsuWfgGRAyiGuK2750n81sOIYHBLJJ9p+CvnU4eht s32ns96MAcDfRxKwnp+aQu6mcqwbNrwWmKK4Kh9eZeqL8UsK8ycI/AL4gqQEdbe4E6 fhYnj6faRsoNGEf/+4ROinOIGqAYZmhS6aOYgtYU=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFA7F21F844C for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:38:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.539
X-Spam-Level:
X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4QAYTnzXuy4 for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:38:20 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id B751021F844B for <dnsext@ietf.org>; Sun, 25 Mar 2012 17:38:15 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 8AD245F98A2; Mon, 26 Mar 2012 00:37:58 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:e86d:a799:6830:7731]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 88A11216C33; Mon, 26 Mar 2012 00:37:56 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id C4BB31F082F8; Mon, 26 Mar 2012 11:37:47 +1100 (EST)
To: Olafur Gudmundsson <ogud@ogud.com>
From: Mark Andrews <marka@isc.org>
References: <4F6C99CB.7080806@ogud.com> <alpine.LSU.2.00.1203231822280.24583@hermes-2.csi.cam.ac.uk> <4F6CE5E0.1090309@ogud.com>
In-reply-to: Your message of "Fri, 23 Mar 2012 17:06:40 EDT." <4F6CE5E0.1090309@ogud.com>
Date: Mon, 26 Mar 2012 11:37:47 +1100
Message-Id: <20120326003747.C4BB31F082F8@drugs.dv.isc.org>
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>
Subject: Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <4F6CE5E0.1090309@ogud.com>, Olafur Gudmundsson writes:
> On 23/03/2012 14:23, Tony Finch wrote:
> > Olafur Gudmundsson<ogud@ogud.com>  wrote:
> >>
> >> The zone seems to be in compliance with the list in RFC4035 section 2.2 i.
> e.
> >> there exists a valid signature by a key in the DNSKEY RRset.
> >> But in the final paragraph that seems to be contradicted and does
> >> require the a signing key for all algorithms to be in the DNSKEY RRset.
> >
> > I believe the consensus is that that requirement applies to the signer
> > not the validator.
> >
> >> What algorithms can a validator use to validate records from a zone
> >>    2) any algorithm in the validated DNSKEY RRset
> >
> > Tony.
> 
> but the validator needs to take into account what the signer is 
> allowed/required to do we cannot have totally disjoint 
> requirements/assumptions.

We don't have disjoint requirement.  The DS records / configured
trust anchors for the zone set up a expection for the zones contents
by listing the algorithms that are expected to work.  The signer
meets those expections by ensuring that each RRset is signed as
described.  This takes in to account the affects of caching associated
with introducing new signing algorithm to a zone.

It is NOT the signers job to check that every RRSIG set contains
every algorithm listed in the DNSKEY RRset as the contents of these
can and often will be from different versions of the zone signed
at different times.  If the validator is paranoid it MAY check every
algorithm listed in the DS RRset/trust anchors is present and it
MAY ignore algorithms not in the DS RRset/trust anchors.

The validator however MUST NOT check that every algorithm listed
in the DNSKEY RRset is present in every RRSIG set.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email