[Dnsmasq-discuss] [PATCH] Treat records signed using unknown algorithms as unsigned instead of bogus
Michał Kępień
Michal.Kepien at nask.pl
Wed Dec 9 12:32:43 GMT 2015
> This is starting to make much more sense to me now.
>
>
> It seems to me that there may be a very simple way to implement this,
> which is to simply disregard signatures for unknown algorithms. Thus
> the answer is treated in the same way as an unsigned answer: proof is
> sought that the zone is unsigned. At the moment this is done by
> looking for proof of absence of a DS record (NSEC or NSEC3). Extending
> this to aceept a validated DS record with unknown hash or unknown
> algorithm make things work in this case.
>
> Later: there may be a problem with the above, under the following
> circumstance.
>
> 1) The DNKEY RRset contains at least two keys: one for a known
> algorithm and one for the unknown algorithm in the original answer.
>
> 2) The DNSKEY RRset is signed using the known algorithm.
>
> 3) The key for the known algorithm is validated by the hash of the
> corresponding DS record.
>
> My test above would fail to determine that an unsigned answer was
> legitimate under such circumstances and needs to be extended to
> account for that case.
>
> Sound reasonable?
Yes, I agree with everything you wrote above.
--
Best regards,
Michał Kępień
More information about the Dnsmasq-discuss
mailing list