[DNSSEC] BIND validates but not Unbound: who is right?
Mukund Sivaraman
muks at isc.org
Mon Feb 16 17:49:51 UTC 2015
On Mon, Feb 16, 2015 at 10:39:52PM +0530, Mukund Sivaraman wrote:
> DNSviz also has explanation for why the green shapes are secure.
(1) There is one item that bothers me:
"fr. to cepn.asso.fr.: The DS RRset for the zone included algorithm 5
(RSASHA1), but no key with algorithm 5 was found signing the zone's
DNSKEY RRset. (195.68.96.3, 217.70.177.40)"
I don't know what causes this message (the same message is shown when
hovering on the arrow between the "fr." zone and "cepn.asso.fr." zone
boxes.
(2) I wonder if Unbound is unusually strict in checking that different
DS algorithms have corresponding DNSKEYs at the child, to avoid
downgrade attacks. In the case of an RRSIG, this is a "MUST"
requirement, that signatures exist for different DNSKEY algorithms to
prevent downgrade attacks. (RFC 5702 sec. 8.2; RFC 4035 sec. 2.2)
But while RFC 4509 sec. 6 talks about this issue in the case of DS with
SHA-2 algorithms, there is no requirement there.
Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150216/d35efb27/attachment.bin>
More information about the bind-users
mailing list