In message <4c2335ae.90...@nlnetlabs.nl>, "W.C.A. Wijngaards" writes: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi George, > > On 06/24/2010 11:59 AM, George Barwood wrote: > > It could also note that validators SHOULD NOT check the RRSIG for a DNSKEY > RRset > > where all the keys are validated by DS records. > > This is not possible, and Casey thought similarly, so here is text: The > RRSIG from a DNSKEY identified by a DS record must validate. You must > do this to ensure that you have obtained all DNSKEY RRs. And thus know > all of the algorithms in use. And thus know which algorithms MUST have > signatures over the zone content. This is from RFC4035.
RFC 4035 is overly prescriptive. The MUST applies for algorithms publish in DS's or trust anchors. It was put there to prevent you thinking a zone should be treated as secure and then not finding signatures that you could use. If the algorithm is not listed in DS records and is not listed in published trust anchors then it does not matter whether all records are signed by the algorithm. > > There is no need for the DNSKEY RRset to be signed in this case, although o > f course > > for compatibility it is necessary - but maybe one day in the very far futur > e the SHOULD > > above can become a MUST, and the requirement to provide an RRSIG can even l > ater be relaxed. > > No. Algorithm rollover is very important, as one day cryptography > advances may impose new algorithm constraints. > > Best regards, > Wouter > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkwjNa4ACgkQkDLqNwOhpPgi0ACgjxFbRXFHPhoG0C/olJt7QdDf > dRAAoKjSPZK+RVlSMjyLbEgMDn3fBV/F > =UkYT > -----END PGP SIGNATURE----- > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
