[dns-operations] Missing algorithm 8 signatures in .museum zone

[Mark Andrews]

> On 17 Nov 2017, at 5:53 am, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> 
> 
>> On Nov 16, 2017, at 1:38 PM, <ondrej at sury.org> <ondrej at sury.org> wrote:
>> 
>> Nope, that just means that NLNetLabs should remove harden-algo-downgrade option from Unbound as it is causing operational problems.
>> 
>> And you should disable it.

I believe the current code checks the DS records rather than the DNSKEY
records to get the set of algorithms that must exist.   That was always a
acceptable policy.  It was taking the signers rules and applying them in
the validator that was not acceptable i.e. using the DNSKEY RRset to get
the set of algorithms to check  for RRSIG existence.  The loose coherence
of DNS never made that viable.

> Actually, it has been working remarkably well for me, for many years,
> with .museum the first observed problem.  Why do you feel so strongly
> that hardening against algorithm downgrade attacks is bad?

If a algorithm is too weak then it should not be used to validate at all.
Insecure is an acceptable status.  If it is not too weak the what is the
issue with using any algorithm?

A downgrade attack can only be successful if you continue to use a
algorithm once it has been broken.

> In any case, my system is a bit of a "canary", doing DNSSEC/DANE
> deployment surveys, so having it fail is perhaps a feature. Is
> there broad consensus that we should just accept algorithm
> downgrades?  If so, I could indeed stop looking for sites that
> run into trouble that way.
> 
> -- 
> 	Viktor.
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org