> On 1 Nov. 2016, at 11:22 am, George Michaelson <g...@algebras.org> wrote:
> 
> The net effect is the same in respect of new algorithms. I'm fine with
> checking conformance if the algorithm is known, it feels like a low
> bar.
> 
> Rejecting sigs because you don't know how to check feels like a huge
> impediment to technology: The use of the new algorithm is now gated by
> the ability of registrars to adopt it, rather than the rate of
> deployment by the actual zone holders.
> 
> -G
> 
> On Tue, Nov 1, 2016 at 10:15 AM, Geoff Huston <g...@apnic.net> wrote:
>> 
>>> On 1 Nov. 2016, at 3:37 am, Matthew Pounsett <m...@conundrum.com> wrote:
>>> 
>>> 
>>> 
>>> On 31 October 2016 at 00:22, George Michaelson <g...@algebras.org> wrote:
>>> It is only my personal opinion, but I believe registrars are incorrect
>>> in performing crypto alg checks on proffered DS, and this is an
>>> entirely unwarranted, and incorrect understanding of their role. It
>>> conflates one public good (checking) with another public good
>>> (registry of data into the DNS) and assumes one out-ranks the other:
>>> It doesn't, and the inability to track crypto alg change, makes the
>>> checking wrong. Its the lesser of two evils to stop checking, and
>>> permit unknown algorithms through.
>>> 
>>> I think this needs to be flagged up. Either they should be told to
>>> stop, or the requirements for algorithm agility which their role
>>> places on them should be made explicit.
>>> 
>>> I know of a couple of cases where registries perform similar checking.   
>>> Depending on the implementation, the registrar may need to perform the 
>>> checks themselves in order to prevent future upstream calls from generating 
>>> errors.
>>> 
>>> I think the way I'd implement this is to perform "best effort" checking.  
>>> If I know the algorithm, then make sure that the DS/DNSKEY supplied is 
>>> correct for that algorithm.  If I don't know the algorithm, pass it through 
>>> as-is (and log it so that I can have my developers investigate and add that 
>>> algo to the check library).
>> 
>> I pretty much agree with Matt here. I believe that this falls into a similar 
>> area as checking the NS records, and the justification is approximately 
>> along the lines of “if it lives in the zone file I should check that 
>> resolvers won’t encounter errors - to the extent I can”
>> 
>> 

—— back to bottom posting

I’m not necessarily disagreeing with you here - in saying that a “best effort” 
checking is a responsible position to take, that does not mean that unknown 
algs are not accepted. Neither Matt nor I have argued here in favour of 
"rejecting sigs” that are generated using unrecognised algs  - it means that 
they are not checked before zone inclusion was the intention.


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to