[dns-operations] Missing algorithm 8 signatures in .museum zone

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Nov 16 18:08:14 UTC 2017

> On Nov 16, 2017, at 2:21 AM, Ondřej Surý <ondrej at sury.org> wrote:
> Since there's a least one valid path, this shouldn't pose operational
> problem unless people are running unbound < 1.5.5 or enabled
> harden-algo-downgrade in unbound.conf.

I have unbound-1.6.7, but also "harden-algo-downgrade: yes".
I therefore find that "museum" lookups ServFail frequently,
unless I add 'domain-insecure: "museum"'.  Perhaps because of:

$ mydig +nocd +nosplit -t ns museum. @g.ext.nic.fr.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55789
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;museum.                        IN NS
museum.                 NS      g.ext.nic.fr.
museum.                 NS      d.nic.fr.
museum.                 NS      f.ext.nic.fr.
museum.                 RRSIG   NS 8 1 172800 20180115085252 20171116085252 4566 museum. CIP8DsNXJc1jaAPcgg9A+JMnt6cmcGpHhvDhAmQS+pU/VvxqBmjaxhBmRUdbTFSxJjFxoSdWbH7C/W3R/+d/NR+tDePM7mrfZSUlyldPJDPQk1glgCZzHl4tl+tmberecFFOhETF4g6YsT1mqo/v9n1P1KLoJwyGkit8k25ngC38ObutHCflDxkGQsSo1hxa5p4FS7ingayHKEYDX7qcSSThjh1cZ+73mO4DQvKlvh2z/VzHUxINeFqdLOkbu5FIzUcH4KX09zEhOJRKsVs1PWbFwRJGBp4xsG5E0rH01iBnHIKwTTh1p/faX8+fAYFCjsaS+V3kCoue5Dxhl3Tovw==

The NS records of "museum" itself are signed with just algorithm 8,
and not algorithm 10, which does look like a downgrade.

> Maybe it's time to stop enforcing this requirement since unbound 1.5.5
> was release two years ago, and force operators running with
> 'harden-algo-downgrade: yes' to simply disable the option.

Well, that loses much of the advantage of algorithm agility.  So
really the "museum" operators should fix their signing software.


More information about the dns-operations mailing list