Re: [dns-privacy] DOTPIN, TLSA, and DiS
Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Fri, 20 November 2020 21:00 UTC
Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C3123A00D8 for <dns-privacy@ietfa.amsl.com>; Fri, 20 Nov 2020 13:00:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D5ogn7q9N6dU for <dns-privacy@ietfa.amsl.com>; Fri, 20 Nov 2020 13:00:41 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9A843A00C9 for <dprive@ietf.org>; Fri, 20 Nov 2020 13:00:39 -0800 (PST)
Received: from [IPv6:2a02:768:2d1c:226::a2e] (unknown [IPv6:2a02:768:2d1c:226::a2e]) by mail.nic.cz (Postfix) with ESMTPSA id ED4F0140A9F; Fri, 20 Nov 2020 22:00:36 +0100 (CET)
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: dprive@ietf.org
References: <196c57a1f39d73fdbf0e7ee0c597bec2bec94148.camel@powerdns.com> <a4e2f776-91b6-f825-03f9-8287e7b29509@nic.cz> <CAH1iCipHHUDp3RBO4zaYCpcqyx6GQcLxTW4Fj8-psFpYmYf81g@mail.gmail.com>
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Message-ID: <5b5f5380-9026-35ad-bc8a-efaa8fc025ea@nic.cz>
Date: Fri, 20 Nov 2020 22:00:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.3
MIME-Version: 1.0
In-Reply-To: <CAH1iCipHHUDp3RBO4zaYCpcqyx6GQcLxTW4Fj8-psFpYmYf81g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------B72233C2F7F470FA2304FF4D"
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.102.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/rrms0I2iLz9wSJPoMAiJyEwZVa4>
Subject: Re: [dns-privacy] DOTPIN, TLSA, and DiS
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 21:00:43 -0000
On 11/20/20 9:14 PM, Brian Dickson wrote: > So, using a new algorithm for whatever we do, should be 100% backward > compatible. Yes, it should be. A few different proposals have been relying on that already, for DS or DNSKEY. It is possible that some validators still have bugs around this, but hopefully they would be manageable. For signers there's a possible caveat that a zone must be fully signed by *all* the present DNSKEY algorithms, but my point of view is that redefining that it relatively easy on deployment (as only zones wanting the feature get affected). See last paragraph of https://tools.ietf.org/html/rfc4035#section-2.2 > I think we (the three of us and maybe Tony Finch, if not the whole DNS > community) may be converging on a design that will, I believe, work. So far I can't clearly see that direction of convergence, but I'll be looking forward to such design proposals. --Vladimir
- [dns-privacy] DOTPIN, TLSA, and DiS Peter van Dijk
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Vladimír Čunát
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Brian Dickson
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Vladimír Čunát
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Peter van Dijk
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Peter van Dijk
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Ilari Liusvaara
- Re: [dns-privacy] DNSPKI, not WebPKI Paul Hoffman