Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

Thu, 20 Jul 2017 01:08:54 -0700 

On Thu, Jul 20, 2017 at 9:51 AM, Stephane Bortzmeyer <bortzme...@nic.fr>
wrote:

> On Wed, Jul 19, 2017 at 02:28:37PM +0200,
>  Shumon Huque <shu...@gmail.com> wrote
>  a message of 153 lines which said:
>
> > > Suppose I send the list ECDSA;RSA, and I receive only ECDSA
> > > signatures. How the resolver/cache would now if it was a complete
> > > list?
> >
> > The response contains the EDNS0 option if the responder executed
> > this protocol. In which case, the cache would tag this response as a
> > subset.
>
> Sorry, I still do not understand. The EDNS0 option does not indicate
> if the set is a subset or not. Or do you assume that, if the response
> indicates that the responder executes this protocol, an answer is
> always a subset (even if it's not)?
>

The EDNS0 option, if received from the server, indicates that both (1) the
server understands this protocol and (2) the server executed this protocol,
i.e. that response includes a subset (specifically 1) of the deployed
signature algorithms. I think the latest draft says this, but if not, I'll
fix:

    https://tools.ietf.org/html/draft-huque-dnssec-alg-nego-01

Also, if the server uses only one algorithm, but understands this protocol,
then it probably shouldn't include this option, because there is nothing to
do.


> > When the resolver queries the DNSKEY RRset for the zone, it knows
> > which algorithms are supported for the zone.
>
> You can have keys which are not used for signing (such as in the root
> today).
>

Certainly, but only for the same algorithm. If there are multiple
algorithms in use at an authoritative server, then there needs to be
signatures associated with each algorithm.

RFC 4035, Section 2.2

   There MUST be an RRSIG for each RRset using at least one DNSKEY of
   each algorithm in the zone apex DNSKEY RRset.  The apex DNSKEY RRset
   itself MUST be signed by each algorithm appearing in the DS RRset
   located at the delegating parent (if any).

-- 
Shumon Huque

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to