[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [dnsext] RSA/SHA2 new NSEC3 text proposal
In message <49477F09.90009@NLnetLabs.nl>, Jelte Jansen writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Ok, i've refined the text a bit, and made two possible versions of 5.2.2
> for the validator part, see below.
>
> There is the scary variant of my previous text, with a little
> explanation on why it's a bad idea, and the version like Mark proposed,
> which is safe and secure (but more of a burden on people who for
> whatever reason would think that you don't need nsec3 validating code).
>
> 5.2. Support for NSEC3 Denial of Existence
>
> Note that these algorithms have no aliases to signal NSEC3 denial of
> existence. The aliases mechanism used in RFC5155 was to protect
> implementations predating that RFC from encountering records they
> could not know about.
>
> Implementations that support RSA/SHA-2 algorithms SHOULD also
> implement NSEC3 denial of existence [RFC5155].
>
> 5.2.1. NSEC3 in Authoritative servers
>
> An authoritative server that does not implement NSEC3 can still serve
> zones that use RSA/SHA2 with NSEC.
>
> 5.2.2. NSEC3 in Validators
>
> A DNSSEC Validator that implements RSA/SHA2 MUST be able to
> handle both NSEC and NSEC3 negative answers. If the validator is
> not able to handle both, it MUST treat a zone signed with
> RSA/SHA256 or RSA/SHA512 as insecure.
This version of 5.2.2 reflects what is being signaled.
> Jelte
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>