On 2 Aug 2013 at 22:25, Mark Andrews wrote:
> In message <51fb9c18.23133.401e...@tmorizot.sd.is.irs.gov>, "Scott Morizot" 
> wri
> tes:
> > Hello all,
> > 
> > I ran into an interesting situation resolving dfas.mil. It appears that 
> > they have attempted to roll their ZSKs to algorithm 8 while leaving their 
> > KSKs on algorithm 7. Unfortunately, RFC 4035 specifies that if DNSKEYs 
> > for multiple algorithms exist in the apex DNSKEY RRset, then an RRSIG for 
> > each record set in the zone MUST include at least one RRSIG for each 
> > algorithm. (The distinction between KSK and ZSK is an operational 
> > convenience and not part of the standard, per se.) The relevant excerpt 
> > from Section 2.2 of RFC 4035:
> > 
> >    There MUST be an RRSIG for each RRset using at least one DNSKEY of
> >    each algorithm in the zone apex DNSKEY RRset.  The apex DNSKEY RRset
> >    itself MUST be signed by each algorithm appearing in the DS RRset
> >    located at the delegating parent (if any).

> Because the requirement is *only* on the signer.  You will note
> that the validator is NOT required to check for this as part of the
> list of things it is supposed to check for and that is a deliberate
> design decision.  If the signer follows this and the timing rules
> the zone will not be treated as bogus.  The unbound developers
> didn't realise this initially and added unspecified checks to their
> validator.

I hadn't noticed the differences between 2.2 and 5.3. Interesting. So you 
can have signing errors (at least according to the standard) that don't 
result in validation errors.

Thanks,

Scott

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to