[dns-operations] ZSK algorithm different from DS/KSK algorithm?

Mark Andrews marka at isc.org
Wed Nov 15 05:35:36 UTC 2017 

> On 15 Nov 2017, at 4:12 pm, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> 
> 
>> On Nov 14, 2017, at 11:41 PM, Mark Andrews <marka at isc.org> wrote:
>> 
>> Yes.  There must be a DNSKEY records for every algorithm in the DS.
>> There is no reverse requirement.  The zone doesn’t even have to be
>> fully signed with algorithm 7.  It must be fully signed with algorithm 8.
>> The SEP bit is only advisory.
> 
> Thanks, so I think that the problem here is that at least some
> of the nameservers return only the ZSK (alg 7) RRSIG for some
> records:

That would be the problem.  The DS says there will be algorithm 8 records present.

* A validator that only supports algorithm 8 will mark the answer as bogus.
* A validator that supports algorithm 8 and algorithm 7 is permitted to accept
  the answer or reject it.  It is local policy / implementors choice whether to
  enforce that there is a algorithm 8 RRSIG there or not.  BIND doesn’t.
* A validator that only supports algorithm 7 should treat the response as
  insecure.

The signing rules were designed to prevent bogus occurring if they are
followed.

> $ dig +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl \
>  +nottl +nosplit +norecur -t tlsa _25._tcp.diogenes.leeuwarden.nl \
>  @213.136.12.51
> 
> ... condensed for clarity ...
> 
> ;; AUTHORITY SECTION:
> leeuwarden.nl.          SOA     a-p-ddi-0003.leeuwarden.nl. ...
> leeuwarden.nl.          RRSIG   SOA 8 2 ...
> leeuwarden.nl.          RRSIG   SOA 7 2 ...
> 34l83kdikrttor5v48r03n9nmstp7ol9.leeuwarden.nl. NSEC3 1 0 10 ...
> 34l83kdikrttor5v48r03n9nmstp7ol9.leeuwarden.nl. RRSIG NSEC3 7 3 ...
> encnakfk04ucddr2sjk31icqc2itvq87.leeuwarden.nl. NSEC3 1 0 10 ...
> encnakfk04ucddr2sjk31icqc2itvq87.leeuwarden.nl. RRSIG NSEC3 8 3 ...
> encnakfk04ucddr2sjk31icqc2itvq87.leeuwarden.nl. RRSIG NSEC3 7 3 ...
> ki17q2rfqp6dblhont38803tshr4b7h0.leeuwarden.nl. NSEC3 1 0 10 ...
> ki17q2rfqp6dblhont38803tshr4b7h0.leeuwarden.nl. RRSIG NSEC3 8 3 ...
> ki17q2rfqp6dblhont38803tshr4b7h0.leeuwarden.nl. RRSIG NSEC3 7 3 ...
> 
> Above one of the 3 NSEC3 records (34l83kdikrttor5v48r03n9nmstp7ol9)
> has only an algorithm 7 signature, but it must be signed with
> algorithm 8 if I understand your comment correctly.
> 
> -- 
> -- 
> 	Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list