[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[dnsext] RSA/SHA2 new NSEC3 text proposal

To: namedroppers@ops.ietf.org
Subject: [dnsext] RSA/SHA2 new NSEC3 text proposal
From: Jelte Jansen <jelte@NLnetLabs.nl>
Date: Tue, 16 Dec 2008 11:12:25 +0100
User-agent: Thunderbird 2.0.0.18 (X11/20081208)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Ok, i've refined the text a bit, and made two possible versions of 5.2.2
for the validator part, see below.

There is the scary variant of my previous text, with a little
explanation on why it's a bad idea, and the version like Mark proposed,
which is safe and secure (but more of a burden on people who for
whatever reason would think that you don't need nsec3 validating code).



5.2.  Support for NSEC3 Denial of Existence

   Note that these algorithms have no aliases to signal NSEC3 denial of
   existence.  The aliases mechanism used in RFC5155 was to protect
   implementations predating that RFC from encountering records they
   could not know about.

   Implementations that support RSA/SHA-2 algorithms SHOULD also
   implement NSEC3 denial of existence [RFC5155].

5.2.1.  NSEC3 in Authoritative servers

   An authoritative server that does not implement NSEC3 can still serve
   zones that use RSA/SHA2 with NSEC.



And one of these:

5.2.2.  NSEC3 in Validators

   If a validator chooses not to support NSEC3, it MUST recognize NSEC3
   Resource Records and treat any zone that uses those as unsigned,
   after verifying their signatures.  This does, however, make you
   insecure for negative answers within the zone, and is not
   recommended.

OR

5.2.2. NSEC3 in Validators

   A DNSSEC Validator that implements RSA/SHA2 MUST be able to
   handle both NSEC and NSEC3 negative answers. If the validator is
   not able to handle both, it MUST treat a zone signed with
   RSA/SHA256 or RSA/SHA512 as insecure.


Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklHfwcACgkQ4nZCKsdOncWe3ACgg3px4rifKO34/rV8v89A3KPq
qwYAn33fPuZJHczShYHLnLqsp1sp844l
=NkKF
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
  - From: Scott Rose <scottr@nist.gov>
- Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
  - From: Mark Andrews <Mark_Andrews@isc.org>
- Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
  - From: Alex Bligh <alex@alex.org.uk>

Prev by Date: Re: [dnsext] IANA DNS params registry typo w.r.t. label types
Next by Date: Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
Previous by thread: [dnsext] I-D Action:draft-ietf-dnsext-forgery-resilience-10.txt
Next by thread: Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
Index(es):
- Date
- Thread