[prev in list] [next in list] [prev in thread] [next in thread]
List: dns-operations
Subject: [dns-operations] Unknown algorithm and validation direction
From: Ed.Lewis () neustar ! biz (Edward Lewis)
Date: 2010-04-20 15:52:11
Message-ID: a06240807c7f375d7f7b1 () [10 ! 31 ! 200 ! 147]
[Download RAW message or body]
At 10:50 -0400 4/20/10, Andrew Sullivan wrote:
>The latter I get, but could you explain more how the unknown algorithm
>stuff is relevant? (Also, does this belong over in
>protocol-maintenance land? I can't tell.)
Let's say the validator understands algorithm 5 and has trust point
that is algorithm 5, but doesn't understand algorithm 7 and you get
this:
owner IN type
owner IN RRSIG type ...alg=7...
zone IN DNSKEY alg=7
zone IN RRSIG type ...alg=7...
zone IN DS alg=7
zone IN RRSIG type ...alg=5... (by the trust point's key)
If you are going bottom up, you see no usable signature for the first record.
Then you conform that the zone is unsigned wrt to the algorithms you
know from the DS set.
Validator declares the answer to be "knowingly unsigned" because
there are no signatures to work with and no signature is expected.
If this went top-down, it should still work (evidenced by the bug
being fixed) but there's the temptation to do the wrong thing when
you scramble down to the DS set and determine you've run out of
algorithms, meaning you could choose SERFVAIL instead of declaring
the subzone to be unsigned.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
Wouldn't it be nice if all of the definitions of equivalence were the same?
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic