[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dns-operations
Subject:    [dns-operations] Unknown algorithm and validation direction
From:       Ed.Lewis () neustar ! biz (Edward Lewis)
Date:       2010-04-20 15:52:11
Message-ID: a06240807c7f375d7f7b1 () [10 ! 31 ! 200 ! 147]
[Download RAW message or body]

At 10:50 -0400 4/20/10, Andrew Sullivan wrote:

>The latter I get, but could you explain more how the unknown algorithm
>stuff is relevant?  (Also, does this belong over in
>protocol-maintenance land?  I can't tell.)

Let's say the validator understands algorithm 5 and has trust point 
that is algorithm 5, but doesn't understand algorithm 7 and you get 
this:

owner       IN   type
owner       IN   RRSIG     type ...alg=7...

zone        IN   DNSKEY    alg=7
zone        IN   RRSIG     type ...alg=7...

zone        IN   DS        alg=7
zone        IN   RRSIG     type ...alg=5... (by the trust point's key)

If you are going bottom up, you see no usable signature for the first record.

Then you conform that the zone is unsigned wrt to the algorithms you 
know from the DS set.

Validator declares the answer to be "knowingly unsigned" because 
there are no signatures to work with and no signature is expected.

If this went top-down, it should still work (evidenced by the bug 
being fixed) but there's the temptation to do the wrong thing when 
you scramble down to the DS set and determine you've run out of 
algorithms, meaning you could choose SERFVAIL instead of declaring 
the subzone to be unsigned.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Wouldn't it be nice if all of the definitions of equivalence were the same?

[prev in list] [next in list] [prev in thread] [next in thread]