[dns-operations] Missing algorithm 8 signatures in .museum zone

Ondřej Surý ondrej at sury.org
Thu Nov 16 14:25:40 UTC 2017 

Are you aware about any implementation that would implement RSASHA256,
but not RSASHA512? I am not, and I believe if somebody has a weird
configuration like this, it should just break.

O.
-- 
Ondřej Surý <ondrej at sury.org>

On Thu, Nov 16, 2017, at 13:48, Mark Andrews wrote:
> It will be a problem with alg 10 disabled.  I’m assuming no one would
> have alg 8 disabled.
> 
> > On 16 Nov 2017, at 6:21 pm, Ondřej Surý <ondrej at sury.org> wrote:
> > 
> > Since there's a least one valid path, this shouldn't pose operational
> > problem unless people are running unbound < 1.5.5 or enabled
> > harden-algo-downgrade in unbound.conf.
> > 
> > Maybe it's time to stop enforcing this requirement since unbound 1.5.5
> > was release two years ago, and force operators running with
> > 'harden-algo-downgrade: yes' to simply disable the option.
> > 
> > Ondrej
> > -- 
> > Ondřej Surý <ondrej at sury.org>
> > 
> > On Thu, Nov 16, 2017, at 07:20, Viktor Dukhovni wrote:
> >> 
> >> The .museum zone has algorithm 8 and 10 DS and DNSKEY RRs, but
> >> some records are signed with just algorithm 10:
> >> 
> >> http://dnsviz.net/d/ww2.dsm.museum/Wg0sRQ/dnssec/
> >> 
> >> @d.nic.fr.[194.0.9.1]
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38522
> >> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> >> ;dsm.museum.            IN DS
> >> museum.                 SOA     a.nic.fr. ...
> >> museum.                 RRSIG   SOA 10 1 ...
> >> 7fe0d5i1il7eoprub8q9t7cn5jghdm73.museum. NSEC3 1 1 1 B66887C4 ...
> >> 7fe0d5i1il7eoprub8q9t7cn5jghdm73.museum. RRSIG NSEC3 10 2 ...
> >> 
> >> @f.ext.nic.fr.[194.146.106.46]
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60958
> >> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> >> ;dsm.museum.            IN DS
> >> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. NSEC3 1 1 1 B66887C4 
> >> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. RRSIG NSEC3 10 2 ...
> >> museum.                 SOA     a.nic.fr. ...
> >> museum.                 RRSIG   SOA 10 1 ...
> >> 
> >> @g.ext.nic.fr.[194.0.36.1]
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56321
> >> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> >> ;dsm.museum.            IN DS
> >> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. NSEC3 1 1 1 B66887C4 ...
> >> 7FE0D5I1IL7EOPRUB8Q9T7CN5JGHDM73.museum. RRSIG NSEC3 10 2 ...
> >> museum.                 SOA     a.nic.fr. ...
> >> museum.                 RRSIG   SOA 10 1 ...
> >> 
> >> -- 
> >> 	Viktor.
> >> 
> >> _______________________________________________
> >> dns-operations mailing list
> >> dns-operations at lists.dns-oarc.net
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >> dns-operations mailing list
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > 
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-operations mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>

More information about the dns-operations mailing list