[dns-operations] Missing algorithm 8 signatures in .museum zone
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Nov 16 18:08:14 UTC 2017
> On Nov 16, 2017, at 2:21 AM, Ondřej Surý <ondrej at sury.org> wrote:
>
> Since there's a least one valid path, this shouldn't pose operational
> problem unless people are running unbound < 1.5.5 or enabled
> harden-algo-downgrade in unbound.conf.
I have unbound-1.6.7, but also "harden-algo-downgrade: yes".
I therefore find that "museum" lookups ServFail frequently,
unless I add 'domain-insecure: "museum"'. Perhaps because of:
$ mydig +nocd +nosplit -t ns museum. @g.ext.nic.fr.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55789
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;museum. IN NS
museum. NS g.ext.nic.fr.
museum. NS d.nic.fr.
museum. NS f.ext.nic.fr.
museum. RRSIG NS 8 1 172800 20180115085252 20171116085252 4566 museum. CIP8DsNXJc1jaAPcgg9A+JMnt6cmcGpHhvDhAmQS+pU/VvxqBmjaxhBmRUdbTFSxJjFxoSdWbH7C/W3R/+d/NR+tDePM7mrfZSUlyldPJDPQk1glgCZzHl4tl+tmberecFFOhETF4g6YsT1mqo/v9n1P1KLoJwyGkit8k25ngC38ObutHCflDxkGQsSo1hxa5p4FS7ingayHKEYDX7qcSSThjh1cZ+73mO4DQvKlvh2z/VzHUxINeFqdLOkbu5FIzUcH4KX09zEhOJRKsVs1PWbFwRJGBp4xsG5E0rH01iBnHIKwTTh1p/faX8+fAYFCjsaS+V3kCoue5Dxhl3Tovw==
The NS records of "museum" itself are signed with just algorithm 8,
and not algorithm 10, which does look like a downgrade.
> Maybe it's time to stop enforcing this requirement since unbound 1.5.5
> was release two years ago, and force operators running with
> 'harden-algo-downgrade: yes' to simply disable the option.
Well, that loses much of the advantage of algorithm agility. So
really the "museum" operators should fix their signing software.
--
Viktor.
More information about the dns-operations
mailing list