On 3/17/25 22:38, Philip Homburg wrote:
1. that all signers perform algorithm rollovers at the same time
(but why would, e.g., Cloudflare want to coordinate a hypothetical
migration from algorithm 13 to 15 with NS1?);
I'm curious what that would look like from DNSSEC validator point of view.
The current spec is that a validator looks at the DS RRset. If there is no
algorithm in the DS RRset that is supported by the validator, then the
zone is insecure.
Suppose a validator understands 13 but not 15. And if gets data from
Cloudflare in this example, then validation will fail and the zone is
DNSSEC bogus.
That is correct; it would only work with algorithms that are universally supported. I
should have picked 8 --> 13 as the example, not 13 --> 15.
A multi-signer setup would not be admissible unless each signer uses an
algorithm that is universally understood -- but not necessarily the same
algorithm.
See Section 2.2 of
https://www.ietf.org/archive/id/draft-huque-dnsop-multi-alg-rules-04.html#name-signer-requirements.
To preempt a common objection: The issue of how to determine universal support
is orthogonal to the protocol proposal itself.[0]
Peter
[0] The judgment needed is of the same sort as for transitioning an algorithm to
"MUST NOT use for signing" in RFC 8624 and the like. In both cases, an
assessment about the use or non-use of an algorithm has to be made, to then inform the
decision whether it is safe to assume universal support, or whether it is safe to outlaw
it.
--
https://desec.io/
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
