[dns-operations] [DNSSEC] How mandatory is "mandatory algorithm"?
Jelte Jansen
jelte at isc.org
Tue Sep 14 08:45:18 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/14/2010 10:22 AM, Stephane Bortzmeyer wrote:
> Several of the online DNSSEC checking tools complain when a zone is
> not signed with the mandatory algorithm RSA/SHA1 (which is the case of
> .CAT, .PM and the root - although this one is difficult to test with
> many tools which choke on ".").
>
> For instance, two good tools, <http://dnscheck.iis.se> or
> <http://dnscheck.pingdom.com/> complain on that. Other tools have no
> problem.
>
> Which is right? Is RSA/SHA1 simply "mandatory to implement" (which is
> my reading of the RFCs) or actually "mandatory to use" in every signed
> zone?
>
I always read it as mandatory-to-implement. Mandatory-to-use would not make any
sense to me (in fact I think it would be counter-productive in terms of security).
OTOH, a warning could be ok 'since this algorithm is not mandatory, there might
be implementations that would consider this zone unsigned'.
> RFC 4034, appendix A, and
> <http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml>
> (which does not indicate if the algorithm is mandatory or not).
Wasn't there some discussion about this on dnsext a while ago?
Jelte
ps. I also noticed at least one checking tool that gave an error on zones that
use only one key (instead of a separate KSK and a ZSK), though i forget which
one. Point is that some of the tools also have a bit of growing up to do :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyPNh4ACgkQ4nZCKsdOncVfFQCeIpZXmnzXMCmwda06vKAqjqg0
EV8AoLurWaccoFPgB2FQErs5cYfzTpY6
=sj0l
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list