[Dnssec-deployment] Validating algorithm types (was Re: DS digest types 1 vs 2)
Paul Hoffman
paul.hoffman at vpnc.org
Mon Aug 2 11:39:14 EDT 2010
At 10:33 AM -0400 8/2/10, Matt Larson wrote:
>We are doing a sanity check on the algorithm field, however, and only
>allowing DS records for legitimate algorithms, i.e., we are tracking
>http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1.
>
>Here's a question for everyone: of the assigned algorithm types on the
>page referenced above, are there any that don't make sense to allow a
>DS record for? I'm thinking particularly of indirect (252) and the
>two private codes (253 and 254). Is there any legitimate reason for a
>DS record for keys with those algorithms to appear in the "public"
>name space?
252 is right out: it is not defined anywhere. I can see you using an algorithm number for an indirect signature mechanism that is defined, but not until then.
Once draft-ietf-dnsext-dnssec-alg-allocation is published (any day/week/month now), I see no reason to accept 253 or 254. "Private" means "not public", and you are signing a public zone.
>My inclination is that they should be allowed unless proven harmful.
My, you seem to like slippery slopes. How harmful to do want them to be? How will you measure that?
>Can anyone think of a reason to classify any assigned algorithm as
>actually harmful?
Nope. But I can see a reason not to have things defined as private, or things that are undefined, not be part of a public zone.
--Paul Hoffman, Director
--VPN Consortium
More information about the Dnssec-deployment
mailing list