On Mon, Jan 6, 2025 at 9:19 AM Stephane Bortzmeyer <bortzmeyer@xxxxxx> wrote:
On Thu, Jan 02, 2025 at 09:55:15AM -0500,
Shumon Huque <shuque@xxxxxxxxx> wrote
a message of 211 lines which said:
> In my view, this is not an erratum, which would imply there was an
> error in RFC4035. That RFC was focussed on the originally envisioned
> mode of DNSSEC, using pre-computed signatures, and did not take into
> account online signatures
Is it written somewhere? I always thought that RFC 4034/4035 allows
pre-computed signatures but does not require them. Nothing in it seems
to assume static signatures. IMHO, RFC 4034/4035 are quite neutral
about static vs. dynamicc signatures.
I probably should have clarified - my statement was really about online
signing with "minimally covering NSEC records". There is clear text in
RFC 4034/4035 that is not compatible with that mode of online signing,
for example:
"An NSEC record (and its associated RRSIG RRset) MUST NOT be the only RRset at any particular owner name. That is, the signing process MUST NOT create NSEC or RRSIG RRs for owner name nodes that were not the owner name of any RRset before the zone was signed. The main reasons for this are a desire for namespace consistency between signed and unsigned versions of the same zone and a desire to reduce the risk of response inconsistency in security oblivious recursive name servers."
Also phrases like "before the zone was signed" indicate an assumption of
a pre-computed signature model. In online signing, the zone is not signed
beforehand - signatures for RRsets are generated on the fly in response to
queries.
Shumon.
-- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
