Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
Mark Andrews <marka@isc.org> Mon, 26 March 2012 00:38 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5517321F844C; Sun, 25 Mar 2012 17:38:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332722303; bh=6TrmgsaZtno8UgykWnldWH0cXmwdS4zlvOoIkmpZZXA=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=eJWQfUInLTcYYlr7dIEu4BMKSsuWfgGRAyiGuK2750n81sOIYHBLJJ9p+CvnU4eht s32ns96MAcDfRxKwnp+aQu6mcqwbNrwWmKK4Kh9eZeqL8UsK8ycI/AL4gqQEdbe4E6 fhYnj6faRsoNGEf/+4ROinOIGqAYZmhS6aOYgtYU=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFA7F21F844C for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:38:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.539
X-Spam-Level:
X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4QAYTnzXuy4 for <dnsext@ietfa.amsl.com>; Sun, 25 Mar 2012 17:38:20 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id B751021F844B for <dnsext@ietf.org>; Sun, 25 Mar 2012 17:38:15 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 8AD245F98A2; Mon, 26 Mar 2012 00:37:58 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:e86d:a799:6830:7731]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 88A11216C33; Mon, 26 Mar 2012 00:37:56 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id C4BB31F082F8; Mon, 26 Mar 2012 11:37:47 +1100 (EST)
To: Olafur Gudmundsson <ogud@ogud.com>
From: Mark Andrews <marka@isc.org>
References: <4F6C99CB.7080806@ogud.com> <alpine.LSU.2.00.1203231822280.24583@hermes-2.csi.cam.ac.uk> <4F6CE5E0.1090309@ogud.com>
In-reply-to: Your message of "Fri, 23 Mar 2012 17:06:40 EDT." <4F6CE5E0.1090309@ogud.com>
Date: Mon, 26 Mar 2012 11:37:47 +1100
Message-Id: <20120326003747.C4BB31F082F8@drugs.dv.isc.org>
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>
Subject: Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
In message <4F6CE5E0.1090309@ogud.com>, Olafur Gudmundsson writes: > On 23/03/2012 14:23, Tony Finch wrote: > > Olafur Gudmundsson<ogud@ogud.com> wrote: > >> > >> The zone seems to be in compliance with the list in RFC4035 section 2.2 i. > e. > >> there exists a valid signature by a key in the DNSKEY RRset. > >> But in the final paragraph that seems to be contradicted and does > >> require the a signing key for all algorithms to be in the DNSKEY RRset. > > > > I believe the consensus is that that requirement applies to the signer > > not the validator. > > > >> What algorithms can a validator use to validate records from a zone > >> 2) any algorithm in the validated DNSKEY RRset > > > > Tony. > > but the validator needs to take into account what the signer is > allowed/required to do we cannot have totally disjoint > requirements/assumptions. We don't have disjoint requirement. The DS records / configured trust anchors for the zone set up a expection for the zones contents by listing the algorithms that are expected to work. The signer meets those expections by ensuring that each RRset is signed as described. This takes in to account the affects of caching associated with introducing new signing algorithm to a zone. It is NOT the signers job to check that every RRSIG set contains every algorithm listed in the DNSKEY RRset as the contents of these can and often will be from different versions of the zone signed at different times. If the validator is paranoid it MAY check every algorithm listed in the DS RRset/trust anchors is present and it MAY ignore algorithms not in the DS RRset/trust anchors. The validator however MUST NOT check that every algorithm listed in the DNSKEY RRset is present in every RRSIG set. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] Validator assumptions: what algorithms n… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis