On Thu, Sep 02, 2021 at 11:15:32AM +1000, Mark Andrews <ma...@isc.org> wrote:
> The primary reason that it is per algorithm is that validators and > signers are not required to support the same sets of algorithms and > if you want validation to work for everyone the zone has to be fully > signed for each algorithm that you state that it is signed for, i.e. > published in the DS RRset held in the parent zone. CDS and CDNSKEY > also publish this but are not used as part of the validation process. > > If publish that you are signed for ALG-A and ALG-B and the validator > only supports ALG-B, then if you don’t sign all the zone with ALG-B > there will be answers that can’t be validated. The same applies if > the validator only supports ALG-A and you don’t fully sign the zone > with ALG-A. > > Downgrade attacks are where you support both algorithms but someone > strips out the signatures from one of the algorithms because they > have succeeded in breaking the other algorithm. DNSSEC does not > require that validators detect this condition, though some validators > can be configured to force checks for every published algorithm that > you support. If a validator wants to protect itself from downgrade > attacks it needs to limit itself to only checking RRSIGs for algorithms > listed in the DS RRset and ensure that all algorithms listed there are > present in the response and that the signatures are good. > > Mark Thanks again! cheers, raf _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users