The primary reason that it is per algorithm is that validators and signers are not required to support the same sets of algorithms and if you want validation to work for everyone the zone has to be fully signed for each algorithm that you state that it is signed for, i.e. published in the DS RRset held in the parent zone. CDS and CDNSKEY also publish this but are not used as part of the validation process.
If publish that you are signed for ALG-A and ALG-B and the validator only supports ALG-B, then if you don’t sign all the zone with ALG-B there will be answers that can’t be validated. The same applies if the validator only supports ALG-A and you don’t fully sign the zone with ALG-A. Downgrade attacks are where you support both algorithms but someone strips out the signatures from one of the algorithms because they have succeeded in breaking the other algorithm. DNSSEC does not require that validators detect this condition, though some validators can be configured to force checks for every published algorithm that you support. If a validator wants to protect itself from downgrade attacks it needs to limit itself to only checking RRSIGs for algorithms listed in the DS RRset and ensure that all algorithms listed there are present in the response and that the signatures are good. Mark > On 2 Sep 2021, at 09:30, raf via bind-users <[email protected]> wrote: > > On Wed, Sep 01, 2021 at 03:04:56PM +0100, Tony Finch <[email protected]> wrote: > >> raf via bind-users <[email protected]> wrote: >>> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton >>> <[email protected]> wrote: >>> >>>> What algorithm(s) are you using for ZSK and KSK? If they’re not the >>>> same algorithm, then both will be used to sign the entire zone. >>> >>> Just out of curiosity, why is that? >>> Isn't having the KSK sign the ZSK enough? >> >> As well as what Mark said, the reason signing is per-algorithm is to do >> with downgrade protection: if there's a situation where validators support >> different algorithms (e.g. some have deprecated a bad algorithm but some >> have not yet deployed its replacement) then a signer can support all the >> validators by signing with both algorithms, without causing problems for >> the newer validators that want to distrust the old algorithm. A validator >> can decide whether a zone is secure or not based purely on the algorithms >> listed in its DS RRset. >> >> Tony. >> -- >> f.anthony.n.finch <[email protected]> https://dotat.at/ >> Northwest Bailey: Southwesterly 3 to 5. Slight. Showers. Good. > > Thanks. > > cheers, > raf > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
