[dns-operations] Missing algorithm 8 signatures in .museum zone

ondrej at sury.org ondrej at sury.org
Thu Nov 16 18:38:07 UTC 2017 

Nope, that just means that NLNetLabs should remove harden-algo-downgrade 
option from Unbound as it is causing operational problems.

And you should disable it.

O.




On 17 November 2017 02.26.47 Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:

>
>
>> On Nov 16, 2017, at 2:21 AM, Ondřej Surý <ondrej at sury.org> wrote:
>>
>> Since there's a least one valid path, this shouldn't pose operational
>> problem unless people are running unbound < 1.5.5 or enabled
>> harden-algo-downgrade in unbound.conf.
>
> I have unbound-1.6.7, but also "harden-algo-downgrade: yes".
> I therefore find that "museum" lookups ServFail frequently,
> unless I add 'domain-insecure: "museum"'.  Perhaps because of:
>
> $ mydig +nocd +nosplit -t ns museum. @g.ext.nic.fr.
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55789
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> ;museum.                        IN NS
> museum.                 NS      g.ext.nic.fr.
> museum.                 NS      d.nic.fr.
> museum.                 NS      f.ext.nic.fr.
> museum.                 RRSIG   NS 8 1 172800 20180115085252 20171116085252 
> 4566 museum. 
> CIP8DsNXJc1jaAPcgg9A+JMnt6cmcGpHhvDhAmQS+pU/VvxqBmjaxhBmRUdbTFSxJjFxoSdWbH7C/W3R/+d/NR+tDePM7mrfZSUlyldPJDPQk1glgCZzHl4tl+tmberecFFOhETF4g6YsT1mqo/v9n1P1KLoJwyGkit8k25ngC38ObutHCflDxkGQsSo1hxa5p4FS7ingayHKEYDX7qcSSThjh1cZ+73mO4DQvKlvh2z/VzHUxINeFqdLOkbu5FIzUcH4KX09zEhOJRKsVs1PWbFwRJGBp4xsG5E0rH01iBnHIKwTTh1p/faX8+fAYFCjsaS+V3kCoue5Dxhl3Tovw==
>
> The NS records of "museum" itself are signed with just algorithm 8,
> and not algorithm 10, which does look like a downgrade.
>
>> Maybe it's time to stop enforcing this requirement since unbound 1.5.5
>> was release two years ago, and force operators running with
>> 'harden-algo-downgrade: yes' to simply disable the option.
>
> Well, that loses much of the advantage of algorithm agility.  So
> really the "museum" operators should fix their signing software.
>
> --
> 	Viktor.
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list