[dns-operations] .TH signed

Kim Davies kim.davies at icann.org
Wed Apr 8 18:01:41 UTC 2009

On 4/8/09 10:52 AM, "Chris Thompson" <cet1 at cam.ac.uk> wrote:
> There's something rotten in the ITAR about TH.
> https://itar.iana.org/anchors/anchors.xml (serial 14) has it with
> algorithm="3" digesttype="1" and https://itar.iana.org/anchors/ agrees,
> calling it "DSA/SHA-1". But this is rubbish: they are using algorithm 5
> (RSA/SHA-1) like everyone else (GOV excepted). This is correctly described
> in (DLV,th.dlv.isc.org) and (DS,th)@ns.iana.org.

Yes, we noticed this the day it got listed. Our methodology for checking the
trust anchor was to grab the DNSKEY(s), compute their key tag and digests,
and see if they matched. It appears we need to be checking algorithm types
too. Regrettably this was neither caught at our verification stage, or at
the TLD operator¹s manual inspection when they were asked to verify and
approve the listing.

We dropped a note to the .TH operators once we noticed but have yet to hear
back. Hopefully this will get fixed up shortly.

I'm curious what algorithm the DLV uses if they are automatically taking
ITAR records as to it not reflecting the same issue. Perhaps .TH
independently listed their trust anchor directly with DLV and that overrides
the ITAR?


More information about the dns-operations mailing list