[145354] in cryptography@c2.net mail archive
Re: Root Zone DNSSEC Deployment Technical Status Update
daemon@ATHENA.MIT.EDU (Thierry Moreau)
Sun Jul 18 00:19:15 2010
Date: Sat, 17 Jul 2010 14:23:41 -0400
From: Thierry Moreau <thierry.moreau@connotech.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
CC: cryptography@metzdowd.com, Jakob Schlyter <jakob@kirei.se>
In-Reply-To: <p06240830c86779c3a643@[10.20.30.158]>
Paul Hoffman wrote:
> At 9:52 AM -0400 7/17/10, Thierry Moreau wrote:
>> Incidentally, you say you [the design team] had good *documented* reasons for implementing DURZ *as*you*did*. Did you document why any of unknown/proprietary/foreign signature algorithm code(s) were not possible (this was an alternative)? This was my outstanding question.
>
> Thierry, can you say how using one of those alternatives would look different than the DURZ that they used? Should they all be marked as "unverfied" in a compliant DNSSEC resolver?
Yes. E.g. if a zone is signed only by algorithm GOOSE_128, and your
validating resolver does not know this algorithm, the DNS zone data
remains "insecure" (this is what you mean by "unverified" I guess).
That's in the DNSSEC protocol.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
