[dns-operations] Missing algorithm 8 signatures in .museum zone

ondrej at sury.org ondrej at sury.org
Thu Nov 16 19:25:44 UTC 2017

Because you just can't change the root zone DNSSEC algorithm without 
serious bloat of the packet sizes. And that is (will be) a critical problem 
for next RZ KSK rollover.

In fact, this applies to all zones, but RZ is especially critical as the 
rollover might take some time (as seen now) and you don't want to have 
double signatures on everything in the root zone for 6 months+.

Also it has been beaten to death and the consensus was that this rule 
should not be enforced on resolvers as it is causing legitimate operational 
problems. DNSSEC deployment is complicated even without enforcement of 
rules that were never meant to be.


On 17 November 2017 03.07.46 Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:

>> On Nov 16, 2017, at 1:38 PM, <ondrej at sury.org> <ondrej at sury.org> wrote:
>> Nope, that just means that NLNetLabs should remove harden-algo-downgrade 
>> option from Unbound as it is causing operational problems.
>> And you should disable it.
> Actually, it has been working remarkably well for me, for many years,
> with .museum the first observed problem.  Why do you feel so strongly
> that hardening against algorithm downgrade attacks is bad?
> In any case, my system is a bit of a "canary", doing DNSSEC/DANE
> deployment surveys, so having it fail is perhaps a feature. Is
> there broad consensus that we should just accept algorithm
> downgrades?  If so, I could indeed stop looking for sites that
> run into trouble that way.
> --
> 	Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list