Re: [dane] Digest algorithm agility (possible discussion topic for: Informal lunch meeting in Vancouver on Thursday)

Viktor Dukhovni <> Fri, 15 November 2013 06:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 603DB11E8107 for <>; Thu, 14 Nov 2013 22:37:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id clxb68HAXYDi for <>; Thu, 14 Nov 2013 22:37:34 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3660111E80DC for <>; Thu, 14 Nov 2013 22:37:34 -0800 (PST)
Received: by (Postfix, from userid 1034) id CF97B2AB141; Fri, 15 Nov 2013 06:37:32 +0000 (UTC)
Date: Fri, 15 Nov 2013 06:37:32 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <1383702043.26498.20.camel@localhost> <> <1384496841.1772.8.camel@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1384496841.1772.8.camel@localhost>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Digest algorithm agility (possible discussion topic for: Informal lunch meeting in Vancouver on Thursday)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Nov 2013 06:37:39 -0000

On Thu, Nov 14, 2013 at 10:27:21PM -0800, Matt McCutchen wrote:

> > Thanks, yes, so my proposal requires no changes to the DANE RRset,
> > rather it requires sensible DNS operator practice.  For each 
> > (usage, selector) combination the mapping:
> > 
> >     "data" -> SET OF mtype for RRs that correspond to "data"
> > 
> > must be the same for all "data" that use the same (usage, selector).
> > I think this is the "Cartesian Product" option in your ticket, but
> > the set of mtypes may differ from one (usage, selector) pair to another.
> Right.
> Sensible as this practice may seem, it's not required by the standard,
> which may reduce the likelihood that any given zone administrator will
> be willing to follow it.  You may get fewer interoperability failures at
> the cost of missing some attacks by having the zone opt into an
> algorithm agility scheme by publishing additional RRs.

Fortunately, there is zero installed base for DANE.  So even if
RFC 6698 does not require the practice I am suggesting, I can add
it to the SMTP draft, and make sure it is implemented in the first
MTA to implement DANE (and likely also the second, as Exim developers
are likely to work towards a compatible implementation soon).
Therefore, it can become standard practice for SMTP from the outset.

We can also publish this in the OPs draft, and encourage other
protocol implementors (hint: XMPP, ...) to do likewise.  It may
also be time to start thinking about DANE bis, and this could be
one of the additions.

So it is far from too late to add this requirement without the
complexity of additional new records.

Given the "greenfields" state of DANE adoption today, is there a
plausible consensus for moving forward with this proposal.  Any
positive or negative feedback on the processing of a-priori unusable