[dns-operations] algorithm rollover strategies

Edward Lewis ed.lewis at neustar.biz
Wed Nov 27 13:48:05 UTC 2013


On Nov 27, 2013, at 4:46, Peter Palfrader wrote:
> 
> Are there any guesstimates or even hard data what percentage of
> resolvers, if any, will consider zones bogus if the algorithm rollover
> is handled in the more liberal style as a regular double-signature KSK
> rollover?


This is a good question, one that I am dealing with myself.

Ironically, in private email yesterday I sent this to someone who was involved when the rules that have caused the problem were written.  In the sense "the horse has left the barn already, but:"

From the end of section 2.2 in RFC 4035:

There MUST be an RRSIG for each RRset using at least one DNSKEY of
each algorithm in the zone apex DNSKEY RRset.  The apex DNSKEY RRset
itself MUST be signed by each algorithm appearing in the DS RRset
located at the delegating parent (if any).
It should be:

There MUST be an RRSIG for each RRset using at least one DNSKEY of
each algorithm in the zone apex DNSKEY RRset that is also in the DS RRset.  The apex DNSKEY RRset
itself MUST be signed by each algorithm appearing in the DS RRset
located at the delegating parent (if any).
The latter is what I thought had been written until I re-read the section a few weeks ago.

It's too late to go back and change implementations that interpreted even the as-is text incorrectly.  By "wrong" I mean interpretations of the rule that were not in line with the apparently incompletely stated intent of the rule writers.  In the rear view mirror I can see how a validator might take the above as a requirement, but it means that they didn't notice that section 2 was "zone signing" and 2.2 was in "including RRSIGs in a zone" and not in sections 4 or 5 (resolving and validating).

The same argument has been made about the confusion over the definition of a "domain name" in STD 13 and "host name" in RFC 1123.  Context matters.

So - I wish we could measure the impact of what has been deployed.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

Why is it that people who fear government monitoring of social media are
surprised to learn that I avoid contributing to social media?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131127/6e5a73db/attachment.html>


More information about the dns-operations mailing list