[dns-operations] Problems resolving .gov using DLV

Edward Lewis Ed.Lewis at neustar.biz
Tue Mar 17 12:34:10 UTC 2009 

At 12:18 +0100 3/17/09, Florian Weimer wrote:
>And 5.2 trumps 5.5?  I wouldn't count on that.  RFC 4033 lists the

The intent has always been that if a user cannot understand the 
algorithm, the user ignores the algorithm's presence.  If, for all 
algorithms in the DS set none are understood, the zone is unsigned 
(in the eye of the user).

This is needed for backwards compatibility.  (It's like me walking 
into Prague and, not knowing Czech at all, ignoring all the warning 
signs in the Czech language and hoping for the English version. 
Sure, I might be a little suspicious if the signage gave off other 
hints, like a nuclear radiation sign, but we don't get that in 
cryptographic strings.)

The bug(s) in this instance is/are in any software that fails to 
choke in a correct manner on an algorithm it does not implement.

Multiple algorithm management is a pain.  I screwed it up in the 
first go-round of a validator.  At the time only one algorithm was 
available, when I tried the second I found I had made errors in the 
data structures (not just the execution paths).

For a long time we would come across a usage scenario of "my clique 
wants to use stronger security so we will only sign it with 
triple-secret double-probation single-malt Flubarg algorithm and not 
the cheesy RSA or DSA stuff."  The response to that was "well, then 
the rest of the world will see you as unsigned, lowering your 
security."

The interesting thing here is that this isn't the case that .gov's 
administration tried to go to higher security as in that scenario, 
but that they were "forced" into this because of the need to use an 
algorithm for NSEC3.  There's no rollback because NSEC is not an 
option.

But then again, DNSSEC is all about the user, not the server. 
'Course, if the user's choice blocks access...whaddya goin' to do? 
Roll out of DNSSEC?
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.

More information about the dns-operations mailing list