RFC 5702, "Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC", October 2009Source of RFC: dnsext (int)
See Also: RFC 5702 w/ inline errata
Errata ID: 7090
Publication Format(s) : TEXT
Reported By: Peter van Dijk
Date Reported: 2022-08-15
Verifier Name: Warren Kumari (Ops AD)
Date Verified: 2022-08-26
Section 8.2 says:
8.2. Signature Type Downgrade Attacks Since each RRSet MUST be signed with each algorithm present in the DNSKEY RRSet at the zone apex (see Section 2.2 of [RFC4035]), a malicious party cannot filter out the RSA/SHA-2 RRSIG and force the validator to use the RSA/SHA-1 signature if both are present in the zone. This should provide resilience against algorithm downgrade attacks, if the validator supports RSA/SHA-2.
It should say:
The section is incorrect in its entirety. Although the requirement on signers does exist, there is no related requirement for validators to check that all signature algorithms are present. RFC6840 5.11 (which I do realise is newer than RFC5702) re-states this explicitly, where RFC4035 merely implied this distinction.