[dns-operations] Unknown algorithm and validation direction

Edward Lewis Ed.Lewis at neustar.biz
Tue Apr 20 15:52:11 UTC 2010

At 10:50 -0400 4/20/10, Andrew Sullivan wrote:

>The latter I get, but could you explain more how the unknown algorithm
>stuff is relevant?  (Also, does this belong over in
>protocol-maintenance land?  I can't tell.)

Let's say the validator understands algorithm 5 and has trust point 
that is algorithm 5, but doesn't understand algorithm 7 and you get 

owner       IN   type
owner       IN   RRSIG     type ...alg=7...

zone        IN   DNSKEY    alg=7
zone        IN   RRSIG     type ...alg=7...

zone        IN   DS        alg=7
zone        IN   RRSIG     type ...alg=5... (by the trust point's key)

If you are going bottom up, you see no usable signature for the first record.

Then you conform that the zone is unsigned wrt to the algorithms you 
know from the DS set.

Validator declares the answer to be "knowingly unsigned" because 
there are no signatures to work with and no signature is expected.

If this went top-down, it should still work (evidenced by the bug 
being fixed) but there's the temptation to do the wrong thing when 
you scramble down to the DS set and determine you've run out of 
algorithms, meaning you could choose SERFVAIL instead of declaring 
the subzone to be unsigned.
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Wouldn't it be nice if all of the definitions of equivalence were the same?

More information about the dns-operations mailing list