DNSSEC - mismatch between algorithm and type of NSEC

Wed Dec 29 08:37:36 UTC 2010

Hello,

And my best whishes for the new year 2011 !
May we have lots of interesting questions, where we all can learn from ;-)

(hope my question is also in that category ...)

As .eu top level domain we try to avoid inserting DS records in our zone
where corresponding DNSKEY information is missing from the customers' zone
file,
thus avoiding to activated DNSSEC with an already broken chain-of-trust.

However, we now found the following case :
1) registrar offers us DNSKEY information with algorithm 7 :
RSASHA1-NSEC3-SHA1
2) in the zone file, there are NSEC (and not NSEC3) records

Public DNSSEC verification tools (dnsviz, verisignlabs)
don't seem to make a problem out of this
(they do signal an insecure delegation, obviously : we don't publish a DS
record).
((there must be a wildcard in the zone file,
  So I can enter a domain name where the verification tools get NSEC
records))

I can simulate the case in a test environment, of course,
But then I only see the behaviour of a specific name server
implementation.
But what is the list's interpretation of this situation : erronous or not
?
Does any DNSSEC RFC mention this case and prescribe a reaction to this ?
 (I didn't find any -
  RFC5155 states the new algorithms - 6 and 7 - *must* be used when NSEC3
is used,
  But not a word - unless I overlooked it - about using algorithm 7 and
yet, NSEC ...)

Looking forward to your comments.

Kind regards,

Marc Lampo
Security Officer

    EURid
    Woluwelaan 150    
    1831 Diegem - Belgium
    TEL.: +32 (0) 2 401 3030
    MOB.:+32 (0)476 984 391
    marc.lampo at eurid.eu
    http://www.eurid.eu

Want a .eu web address in your own language? Find out how so you don’t
miss out!

Register your .eu domain name and win an iPod touch this X-Mas
http://www.winwith.eu