[Dnssec-deployment] algorithm downgrade
owens at nysernet.org
Thu Sep 15 10:04:03 EDT 2011
On Thu, Sep 15, 2011 at 01:35:03PM +0000, Blacka, David wrote:
> On Sep 15, 2011, at 9:17 AM, Bill Owens wrote:
> > I don't think this is NSEC3-specific, there could be other reasons for an algorithm rollover - but the point is that you're changing from one algorithm to another, and at some point you will stop signing records with the old algorithm. At that point, any outdated validator will return bogus. The DS/DNSKEY issue is a problem, but the way to fix it is to remove the old algorithm entirely, and the end result for anyone running old code is the same, right?
> You only remove the old algorithm once the DS RRset in the parent only reflects the new algorithm. At that point, even "old" validators must treat the answers from the child as unsigned rather than bogus.
Ah, that's where I went wrong - I didn't realize that an unsupported algorithm causes the answers to be considered unsigned; I thought it made the answers bogus. Of course that means that in this case the old validator would have already marked .gov as unsigned, and never requested the DS RRSET for virginia.gov.
More information about the Dnssec-deployment