[DNSOP] ECDSA woes

Fri, 14 Oct 2016 23:23:46 -0700 


Hi,
we have a deployment of home gateways, based on OpenWrt BB that uses dnsmasq v2.71 as resolver, with DNSSEC validation turned on. It seems some
Dnsmasq v2.71 does not support ECDSA. A rather large CDN uses ECDSA only. I also found bug reports for Debian with same problem, because they also used dnsmasq. 

Breakage occured, for instance www.ietf.org was not resolvable.

Our plan is now to disable DNSSEC validation on all of these HGWs.

So I read some documents:

https://tools.ietf.org/html/draft-wouters-sury-dnsop-algorithm-update-02
https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-01

I via these found RFC4035:

"If the resolver does not support any of the algorithms listed in an
   authenticated DS RRset, then the resolver will not be able to verify
   the authentication path to the child zone.  In this case, the
   resolver SHOULD treat the child zone as if it were unsigned."
So obviously dnsmasq doesn't implement this SHOULD, because it treats these zones as bogus and doesn't respond back to the client.
(btw, what happens if the entire child zone and all its RRs are signed with an unknown algoritm, is that even covered in the above paragraph?)
It took us a while to figure out why things didn't work. We even fault reported this to the CDN who never at any time (during their prompt and friendly communication) indicated that they had any knowledge of resolvers that didn't support their chosen algorithm, or pointed me in that direction. 

So... my question to you fine people is:
Is there any (existing and freely available) testing suite I can run against my chosen resolver that tests all the SHOULDs and MUSTs regarding DNSSEC validation, including future proofing for new algorithms?
If not, I would like to call upon for instance ccTLD registrys, ISOC and others, to develop a test suite for this, maintain it over time, and make it freely available.
I like DNSSEC and want to see it widely deployed. It's an important part of Internet plumbing. These kinds of problems that I've had last weeks mean people who oppose it with FUD actually have concrete breakage to point at that means it's not "Uncertain" anymore. 

Thanks.

--
Mikael Abrahamsson    email: swm...@swm.pp.se

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to