On Mon, Feb 16, 2015 at 10:39:52PM +0530, Mukund Sivaraman wrote: > DNSviz also has explanation for why the green shapes are secure.
(1) There is one item that bothers me:
"fr. to cepn.asso.fr.: The DS RRset for the zone included algorithm 5
(RSASHA1), but no key with algorithm 5 was found signing the zone's
DNSKEY RRset. (195.68.96.3, 217.70.177.40)"
I don't know what causes this message (the same message is shown when
hovering on the arrow between the "fr." zone and "cepn.asso.fr." zone
boxes.
(2) I wonder if Unbound is unusually strict in checking that different
DS algorithms have corresponding DNSKEYs at the child, to avoid
downgrade attacks. In the case of an RRSIG, this is a "MUST"
requirement, that signatures exist for different DNSKEY algorithms to
prevent downgrade attacks. (RFC 5702 sec. 8.2; RFC 4035 sec. 2.2)
But while RFC 4509 sec. 6 talks about this issue in the case of DS with
SHA-2 algorithms, there is no requirement there.
Mukund
pgp0sPCu0dmjg.pgp
Description: PGP signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
