[Dnssec-deployment] cases - was Re: Barbie sez: "Algorithm rollovers are HARD!"
Andrew Sullivan
ajs at shinkuro.com
Wed Aug 18 12:58:30 EDT 2010
On Tue, Aug 17, 2010 at 08:13:41AM -0700, Michael Sinatra wrote:
> Would it be reasonable for the cache, in a situation where it saw an
> algorithm mismatch between a cached DNSKEY and a newly-fetched RRSIG, to
> re-fetch (ONCE only) the DNSKEY and then declare a validation failure if
> it still didn't match?
No, because the definite article there is wrong. If you're a cache,
you can't tell whether there's another cache in front of you. This is
annoying and bad, but it's the way the world is. And since you can't
tell that other cache, "No, I really mean it, please invalidate your
cache and go fetch the authoritative result," you're out of luck here.
> It seems the issue is, how does the admin of the authoritative zone
> signal what algorithms are to be used for signing?
It doesn't. That's the reason that timing these changes is so tricky.
A
--
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.
More information about the Dnssec-deployment
mailing list