[Dnssec-deployment] Validating algorithm types (was Re: DS digest types 1 vs 2)

Matt Larson mlarson at verisign.com
Mon Aug 2 10:33:04 EDT 2010

On Thu, 29 Jul 2010, Jakob Schlyter wrote:
> On 28 jul 2010, at 23.35, Chris Thompson wrote:
> > There is a meta-question here: is it the policy for the parent zone
> > or that for the child zone that determines this? My own feeling is
> > that the first is preferable: the child registers a (K)SK with the
> > parent and the parent decides what DS records to generate.
> IMHO it is much simpler for the parent registry to just publish
> whatever the child submits. This puts all responsibility for
> correctness and the choice of algorithm on the child, and also makes
> it possible for the child to use a digest algorithm that the parent
> has yet to support (e.g. GOST). The registry could of course have a
> policy limiting the total number of DS records allowed from a single
> child, but that is another issue.
> So for both technical and legal reasons, I'd choose to let the child
> make the call and the parent just publish - GIGO as its best.

+1 to Jakob's line of reasoning.

In the .com/.net registry, we require a registrar to submit the DS
record it wants published on behalf of its registrant: either the
registrar or the registrant needs to calculate the DS record(s) from
the DNSKEY.  We did not want to be in the position of making the
judgement call regarding DS digest types, e.g., what if we decided on
only SHA-256 but that didn't resolve somewhere important to the

We are doing a sanity check on the algorithm field, however, and only
allowing DS records for legitimate algorithms, i.e., we are tracking

Here's a question for everyone: of the assigned algorithm types on the
page referenced above, are there any that don't make sense to allow a
DS record for?  I'm thinking particularly of indirect (252) and the
two private codes (253 and 254).  Is there any legitimate reason for a
DS record for keys with those algorithms to appear in the "public"
name space?

My inclination is that they should be allowed unless proven harmful.
Can anyone think of a reason to classify any assigned algorithm as
actually harmful?


More information about the Dnssec-deployment mailing list