Maintained by: NLnet Labs

[Unbound-users] dfas.mil DNSSEC Failure

Casey Deccio
Fri Jun 28 16:37:24 CEST 2013


Hi Wouters,

On Fri, Jun 28, 2013 at 7:18 AM, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:
>
> Unbound checks that the chain of trust uses the correct algorithm, as
> advertised by the DS record.  The DS record advertises algorithm 7
> (only).  The DNSKEY record set has keys for 7 and 8.  The MX record is
> signed with only 8.
>
> Unbound is strict here, the DS record states that this chain of trust
> must be present (MUST in the RFC).  It is not, bogus.
>

I realize this has been the subject of some discussion over the past
several years.  RFC 6840 [1] updates RFC 4035 to specify that this
requirement applies to signers, not to validators:

   This requirement applies to servers, not validators.  Validators
   SHOULD accept any single valid path.  They SHOULD NOT insist that all
   algorithms signaled in the DS RRset work, and they MUST NOT insist
   that all algorithms signaled in the DNSKEY RRset work.  A validator
   MAY have a configuration option to perform a signature completeness
   test to support troubleshooting.

Casey

[1] http://tools.ietf.org/html/rfc6840#section-5.11

> Bind is more lenient here, and a signature whose algorithm was not
> advertised is fine.
>
> Best regards,
>    Wouter