Hi Ben,
Yes, RFC 6840 tells validators to be lax.
However, it also requires exactly the same as RFC 4035 from signers.
As I understand it, the requirement is rephrased, but entirely
equivalent, and there is a MUST.
So, is your proposal only about a bit in DNSKEY record, signalling "this
zone is RFC compliant"?
If so, I have no more questions, but you should maybe state this clearly ;)
Cheers,
Libor
Dne 23. 02. 21 v 16:26 Ben Schwartz napsal(a):
Libor,
That's what I thought too. See RFC 6840 Section 5.11:
> The last paragraph of Section 2.2 of [RFC4035] includes rules
> describing which algorithms must be used to sign a zone. Since these
> rules have been confusing, they are restated using different language
> here:
...
>> A signed zone MUST include a DNSKEY for each algorithm present in
>> the zone's DS RRset and expected trust anchors for the zone. The
>> zone MUST also be signed with each algorithm (though not each key)
>> present in the DNSKEY RRset.
...
> This requirement applies to servers, not validators. Validators
> SHOULD accept any single valid path.
RFC 6840 tells validators to be lax, so if we want to enforce this
rule then we need a signal (or we need to update RFC 6840).
On Tue, Feb 23, 2021 at 10:17 AM libor.peltan <libor.pel...@nic.cz
<mailto:libor.pel...@nic.cz>> wrote:
Hi Ben,
could you please briefly summarize how this relates to last
paragraph of https://tools.ietf.org/html/rfc4035#section-2.2
<https://tools.ietf.org/html/rfc4035#section-2.2> ?
The way how I understand it, each DNSKEY already must be treated
as the proposed "strict" mode, thus this proposal is completely
useless.
Thanks,
Libor
Dne 23. 02. 21 v 16:08 Ben Schwartz napsal(a):
Inspired by some recent discussions here (and at DNS-OARC), and
hastened by the draft cut-off, I present for your consideration
"DNSSEC Strict Mode":
https://datatracker.ietf.org/doc/html/draft-schwartz-dnsop-dnssec-strict-mode-00
<https://datatracker.ietf.org/doc/html/draft-schwartz-dnsop-dnssec-strict-mode-00>
Abstract:
Currently, the DNSSEC security of a zone is limited by the
strength of its weakest signature algorithm. DNSSEC Strict Mode
makes zones as secure as their strongest algorithm instead.
The draft has a long discussion about why and how, but the core
normative text is just three sentences:
The DNSSEC Strict Mode flag appears in bit $N of the DNSKEY flags
field. If this flag is set, all records in the zone MUST be
signed correctly under this key's specified Algorithm. A
validator that receives a Strict Mode DNSKEY with a supported
Algorithm SHOULD reject as Bogus any RRSet that lacks a valid
RRSIG with this Algorithm.
--Ben Schwartz
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org <mailto:DNSOP@ietf.org>
https://www.ietf.org/mailman/listinfo/dnsop
<https://www.ietf.org/mailman/listinfo/dnsop>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
