[dns-operations] Missing algorithm 8 signatures in .museum zone

Mark Andrews marka at isc.org
Thu Nov 16 12:48:09 UTC 2017


It will be a problem with alg 10 disabled.  I’m assuming no one would
have alg 8 disabled.

> On 16 Nov 2017, at 6:21 pm, Ondřej Surý <ondrej at sury.org> wrote:
> 
> Since there's a least one valid path, this shouldn't pose operational
> problem unless people are running unbound < 1.5.5 or enabled
> harden-algo-downgrade in unbound.conf.
> 
> Maybe it's time to stop enforcing this requirement since unbound 1.5.5
> was release two years ago, and force operators running with
> 'harden-algo-downgrade: yes' to simply disable the option.
> 
> Ondrej
> -- 
> Ondřej Surý <ondrej at sury.org>
> 
> On Thu, Nov 16, 2017, at 07:20, Viktor Dukhovni wrote:
>> 
>> The .museum zone has algorithm 8 and 10 DS and DNSKEY RRs, but
>> some records are signed with just algorithm 10:
>> 
>> http://dnsviz.net/d/ww2.dsm.museum/Wg0sRQ/dnssec/
>> 
>> @d.nic.fr.[194.0.9.1]
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38522
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>> ;dsm.museum.            IN DS
>> museum.                 SOA     a.nic.fr. ...
>> museum.                 RRSIG   SOA 10 1 ...
>> 7fe0d5i1il7eoprub8q9t7cn5jghdm73.museum. NSEC3 1 1 1 B66887C4 ...
>> 7fe0d5i1il7eoprub8q9t7cn5jghdm73.museum. RRSIG NSEC3 10 2 ...
>> 
>> @f.ext.nic.fr.[194.146.106.46]
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60958
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>> ;dsm.museum.            IN DS
>> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. NSEC3 1 1 1 B66887C4 
>> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. RRSIG NSEC3 10 2 ...
>> museum.                 SOA     a.nic.fr. ...
>> museum.                 RRSIG   SOA 10 1 ...
>> 
>> @g.ext.nic.fr.[194.0.36.1]
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56321
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
>> ;dsm.museum.            IN DS
>> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. NSEC3 1 1 1 B66887C4 ...
>> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. RRSIG NSEC3 10 2 ...
>> museum.                 SOA     a.nic.fr. ...
>> museum.                 RRSIG   SOA 10 1 ...
>> 
>> -- 
>> 	Viktor.
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-operations mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list