DNSSEC - mismatch between algorithm and type of NSEC
kalman.feher at melbourneit.com.au
Wed Dec 29 11:54:04 UTC 2010
What was the observed behaviour in your test system?
>From a sanity point of view and if you are checking the zone prior to
accepting the DNSKEY, then I see nothing wrong in rejecting it. There are
already other restrictions on domains in .EU that establish a precedent for
being more demanding on DNSSEC signed zones.
On 29/12/10 9:37 AM, "Marc Lampo" <marc.lampo at eurid.eu> wrote:
> And my best whishes for the new year 2011 !
> May we have lots of interesting questions, where we all can learn from ;-)
> (hope my question is also in that category ...)
> As .eu top level domain we try to avoid inserting DS records in our zone
> where corresponding DNSKEY information is missing from the customers' zone
> thus avoiding to activated DNSSEC with an already broken chain-of-trust.
> However, we now found the following case :
> 1) registrar offers us DNSKEY information with algorithm 7 :
> 2) in the zone file, there are NSEC (and not NSEC3) records
> Public DNSSEC verification tools (dnsviz, verisignlabs)
> don't seem to make a problem out of this
> (they do signal an insecure delegation, obviously : we don't publish a DS
> ((there must be a wildcard in the zone file,
> So I can enter a domain name where the verification tools get NSEC
> I can simulate the case in a test environment, of course,
> But then I only see the behaviour of a specific name server
> But what is the list's interpretation of this situation : erronous or not
> Does any DNSSEC RFC mention this case and prescribe a reaction to this ?
> (I didn't find any -
> RFC5155 states the new algorithms - 6 and 7 - *must* be used when NSEC3
> is used,
> But not a word - unless I overlooked it - about using algorithm 7 and
> yet, NSEC ...)
> Looking forward to your comments.
> Kind regards,
> Marc Lampo
> Security Officer
> Woluwelaan 150
> 1831 Diegem - Belgium
> TEL.: +32 (0) 2 401 3030
> MOB.:+32 (0)476 984 391
> marc.lampo at eurid.eu
> Want a .eu web address in your own language? Find out how so you don¹t
> miss out!
> Register your .eu domain name and win an iPod touch this X-Mas
> bind-users mailing list
> bind-users at lists.isc.org
More information about the bind-users