Hi Tony On Thu, Feb 19, 2015 at 10:41:15AM +0000, Tony Finch wrote: > > 2. Matching DNSKEYs in child for every DS algorithm type in parent are > > not required in validator requirements to allow them to be more > > accomodating with configuration mistakes. This doesn't give > > importance to the possibility of downgrade attacks as much as > > allowing validation to succeed through any chain. The possibility of > > downgrade attacks are mentioned in RFC 4509 sec. 6.1, but nothing is > > done towards avoiding it. > > I would have thought that mistakes are not the concern here: surely you > have to allow a mismatch between algorithms in parent and child to support > algorithm rollovers.
Is there a need for a DS RR to be dangling at the parent (i.e., not
pointing to any available DNSKEY at the child) during algorithm
rollovers?
Matching DNSKEY in child for every DS algorithm type in parent is a MUST
requirement for auth servers (RFC 6840 sec. 5.11). It's just not a
validator requirement.
Mukund
pgpumDXM673IR.pgp
Description: PGP signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
