[dns-operations] [DNSSEC] How mandatory is "mandatory algorithm"?

Jelte Jansen jelte at isc.org
Tue Sep 14 08:45:18 UTC 2010

Hash: SHA1

On 09/14/2010 10:22 AM, Stephane Bortzmeyer wrote:
> Several of the online DNSSEC checking tools complain when a zone is
> not signed with the mandatory algorithm RSA/SHA1 (which is the case of
> .CAT, .PM and the root - although this one is difficult to test with
> many tools which choke on ".").
> For instance, two good tools, <http://dnscheck.iis.se> or
> <http://dnscheck.pingdom.com/> complain on that. Other tools have no
> problem.
> Which is right? Is RSA/SHA1 simply "mandatory to implement" (which is
> my reading of the RFCs) or actually "mandatory to use" in every signed
> zone?

I always read it as mandatory-to-implement. Mandatory-to-use would not make any
sense to me (in fact I think it would be counter-productive in terms of security).

OTOH, a warning could be ok 'since this algorithm is not mandatory, there might
be implementations that would consider this zone unsigned'.

> RFC 4034, appendix A, and
> <http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml>
> (which does not indicate if the algorithm is mandatory or not).

Wasn't there some discussion about this on dnsext a while ago?


ps. I also noticed at least one checking tool that gave an error on zones that
use only one key (instead of a separate KSK and a ZSK), though i forget which
one. Point is that some of the tools also have a bit of growing up to do :)
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the dns-operations mailing list