[dns-operations] Unknown algorithm and validation direction
Ed.Lewis at neustar.biz
Tue Apr 20 15:52:11 UTC 2010
At 10:50 -0400 4/20/10, Andrew Sullivan wrote:
>The latter I get, but could you explain more how the unknown algorithm
>stuff is relevant? (Also, does this belong over in
>protocol-maintenance land? I can't tell.)
Let's say the validator understands algorithm 5 and has trust point
that is algorithm 5, but doesn't understand algorithm 7 and you get
owner IN type
owner IN RRSIG type ...alg=7...
zone IN DNSKEY alg=7
zone IN RRSIG type ...alg=7...
zone IN DS alg=7
zone IN RRSIG type ...alg=5... (by the trust point's key)
If you are going bottom up, you see no usable signature for the first record.
Then you conform that the zone is unsigned wrt to the algorithms you
know from the DS set.
Validator declares the answer to be "knowingly unsigned" because
there are no signatures to work with and no signature is expected.
If this went top-down, it should still work (evidenced by the bug
being fixed) but there's the temptation to do the wrong thing when
you scramble down to the DS set and determine you've run out of
algorithms, meaning you could choose SERFVAIL instead of declaring
the subzone to be unsigned.
NeuStar You can leave a voice message at +1-571-434-5468
Wouldn't it be nice if all of the definitions of equivalence were the same?
More information about the dns-operations