[dns-operations] .TH signed

Michael Graff michael_graff at isc.org
Wed Apr 8 18:02:54 UTC 2009


Chris Thompson wrote:
> There's something rotten in the ITAR about TH.
> https://itar.iana.org/anchors/anchors.xml (serial 14) has it with
> algorithm="3" digesttype="1" and https://itar.iana.org/anchors/ agrees,
> calling it "DSA/SHA-1". But this is rubbish: they are using algorithm 5
> (RSA/SHA-1) like everyone else (GOV excepted). This is correctly described
> in (DLV,th.dlv.isc.org) and (DS,th)@ns.iana.org.

This is actually the second time the ITAR had the wrong algorithm type
listed for a DS.  The first was corrected quickly, and was within days
of the ITAR being announced.

Our ITAR import script is currently ignoring TH as it was added into
ISC's DLV by the TH admin directly, or I'd have caught this as well.

I suspect the ITAR needs a sanity check script as well.  I can offer my
import script for DLV as a starting point; it currently compares the DS
records to the DNSKEY records in the zone itself, and if they differ it
will complain loudly.

--Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090408/381b8e0b/attachment.sig>


More information about the dns-operations mailing list