[Dnssec-deployment] cases - was Re: Barbie sez: "Algorithm rollovers are HARD!"

Michael Sinatra michael at rancid.berkeley.edu
Tue Aug 17 12:05:28 EDT 2010

On 08/17/10 08:13, Michael Sinatra wrote:

> It seems the issue is, how does the admin of the authoritative zone
> signal what algorithms are to be used for signing? Currently, it is the
> presence of the key in the DNSKEY RRset. It also could be the presence
> of the DS record(s) in the parent and/or trust anchor in the cache. But
> that is not currently the case--even if my only trust anchor/DS record
> is algorithm 10, the presence of an algorithm 5 DNSKEY in the zone apex
> means there must be both algorithm 5 and 10 RRSIGs.

It appears from the thread that Jelte cites, in particular Mark's 
response, that the intent is for the presence/absence of DS records to 
signal the signer's intent, algorithm-wise.  But that's not what the RFC 
states, and it's not how unbound (for example) enforces the RFC. 
Obviously, I am out of the loop when it comes to the intent of the RFCs, 
so I defer to those who participate more fully in the standards community.


More information about the Dnssec-deployment mailing list