[Dnssec-deployment] cases - was Re: Barbie sez: "Algorithm rollovers are HARD!"
michael at rancid.berkeley.edu
Tue Aug 17 12:05:28 EDT 2010
On 08/17/10 08:13, Michael Sinatra wrote:
> It seems the issue is, how does the admin of the authoritative zone
> signal what algorithms are to be used for signing? Currently, it is the
> presence of the key in the DNSKEY RRset. It also could be the presence
> of the DS record(s) in the parent and/or trust anchor in the cache. But
> that is not currently the case--even if my only trust anchor/DS record
> is algorithm 10, the presence of an algorithm 5 DNSKEY in the zone apex
> means there must be both algorithm 5 and 10 RRSIGs.
It appears from the thread that Jelte cites, in particular Mark's
response, that the intent is for the presence/absence of DS records to
signal the signer's intent, algorithm-wise. But that's not what the RFC
states, and it's not how unbound (for example) enforces the RFC.
Obviously, I am out of the loop when it comes to the intent of the RFCs,
so I defer to those who participate more fully in the standards community.
More information about the Dnssec-deployment