Re: [dane] Digest algorithm agility (possible discussion topic for: Informal lunch meeting in Vancouver on Thursday)

[Viktor Dukhovni <viktor1dane@dukhovni.org>]

On Thu, Nov 14, 2013 at 10:27:21PM -0800, Matt McCutchen wrote:

> > Thanks, yes, so my proposal requires no changes to the DANE RRset,
> > rather it requires sensible DNS operator practice.  For each 
> > (usage, selector) combination the mapping:
> > 
> >     "data" -> SET OF mtype for RRs that correspond to "data"
> > 
> > must be the same for all "data" that use the same (usage, selector).
> > I think this is the "Cartesian Product" option in your ticket, but
> > the set of mtypes may differ from one (usage, selector) pair to another.
> 
> Right.
> 
> Sensible as this practice may seem, it's not required by the standard,
> which may reduce the likelihood that any given zone administrator will
> be willing to follow it.  You may get fewer interoperability failures at
> the cost of missing some attacks by having the zone opt into an
> algorithm agility scheme by publishing additional RRs.

Fortunately, there is zero installed base for DANE.  So even if
RFC 6698 does not require the practice I am suggesting, I can add
it to the SMTP draft, and make sure it is implemented in the first
MTA to implement DANE (and likely also the second, as Exim developers
are likely to work towards a compatible implementation soon).
Therefore, it can become standard practice for SMTP from the outset.

We can also publish this in the OPs draft, and encourage other
protocol implementors (hint: XMPP, ...) to do likewise.  It may
also be time to start thinking about DANE bis, and this could be
one of the additions.

So it is far from too late to add this requirement without the
complexity of additional new records.

Given the "greenfields" state of DANE adoption today, is there a
plausible consensus for moving forward with this proposal.  Any
positive or negative feedback on the processing of a-priori unusable
records?

-- 
	Viktor.