[dnssec-deployment] About "no validation" for DNS root signing strategy
roy at dnss.ec
Mon Oct 12 11:50:52 EDT 2009
On Oct 12, 2009, at 5:09 PM, Thierry Moreau wrote:
> Roy Arends wrote:
>> On Oct 9, 2009, at 11:11 PM, Thierry Moreau wrote:
>>> My original post suggested to use the algorithm identifier code as
>>> an implementation of "no validation" for partial deployment of the
>>> signed root among root nameservers. I've got "it could have other
>>> issues" as the only response so far.
>> My personal concern with using a different algorithm identifier
>> code than the one intended to use (be it private or simply a new
>> code point) in real production is that (1) it needs temporary code
>> (i.e. will become stale) in a highly critical, audit-able,
>> production environment. (2) invokes an algorithm roll during early
>> deployment (which was part of the reason to deploy with RSASHA2
>> instead of RSASHA1). (3) what is the behavior of validators when
>> configured with an unknown/private algorithm. Does it complain?fail?
>> warn?triestovalidatebutconsidersitbogus? Are the warnings well
>> understood, even if written in a language that are not in "her
>> mother tongue" ?
> In any event, proper of validator software when an unknown algorithm
> is used in a zone MUST be according to DNSSEC RFCs, and should not
> call for operator attention as it can occur in normal DNS operations.
Can't parse that. Can you rephrase?
> I guess there is no need for an algorithm roll if the interim one is
> not recognized by any validator software.
In the root zone, you'd still need to substitute the signatures from
the unknown/private algorithm key, and the key itself with the proper
keys and signatures, right? I'd call that roll-over.
More information about the Dnssec-deployment