IETF Logo Mail Archive

Re: [dnsext] comments on draft-crocker-dnssec-algo-signal-03

Eric Osterweil <eoster@cs.ucla.edu> Thu, 30 July 2009 12:34 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E997E28C25F; Thu, 30 Jul 2009 05:34:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2uQhCOe2TWkg; Thu, 30 Jul 2009 05:34:21 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 27A0728C1A0; Thu, 30 Jul 2009 05:33:34 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MWUm0-000GYu-3q for namedroppers-data0@psg.com; Thu, 30 Jul 2009 12:30:16 +0000
Received: from [2607:f010:3fe:202:1013:72ff:fe5b:6108] (helo=out-11.smtp.ucla.edu) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <eoster@cs.ucla.edu>) id 1MWUlr-000GXK-20 for namedroppers@ops.ietf.org; Thu, 30 Jul 2009 12:30:12 +0000
Received: from smtp-2.smtp.ucla.edu (smtp-2.smtp.ucla.edu [169.232.47.240]) by out-11.smtp.ucla.edu with ESMTP id n6UCTZqT008597; Thu, 30 Jul 2009 05:29:36 -0700
Received: from mail.ucla.edu (mail.ucla.edu [169.232.46.158]) by smtp-2.smtp.ucla.edu (8.14.3/8.14.3) with ESMTP id n6UCTZqT008597; Thu, 30 Jul 2009 05:29:35 -0700
Received: from dhcp-158b.meeting.ietf.org (dhcp-158b.meeting.ietf.org [130.129.21.139]) (authenticated bits=0) by mail.ucla.edu (8.14.3/8.14.3) with ESMTP id n6UCTWfx014273 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 30 Jul 2009 05:29:34 -0700
Cc: namedroppers@ops.ietf.org
Message-Id: <80C086A4-2FF5-4F76-9AF9-05986637C423@cs.ucla.edu>
From: Eric Osterweil <eoster@cs.ucla.edu>
To: Michael Graff <mgraff@isc.org>
In-Reply-To: <4A702AE1.10201@isc.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v935.3)
Subject: Re: [dnsext] comments on draft-crocker-dnssec-algo-signal-03
Date: Thu, 30 Jul 2009 14:29:28 +0200
References: <4A702AE1.10201@isc.org>
X-Pgp-Agent: GPGMail 1.2.0 (v56)
X-Mailer: Apple Mail (2.935.3)
X-Probable-Spam: no
X-Scanned-By: smtp.ucla.edu on 169.232.47.240
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jul 29, 2009, at 12:56 PM, Michael Graff wrote:

> Let me state some reasons I'm opposed to this draft's purpose, even  
> though I think some part of it would be very interesting to pursue.
>
> (1)  This becomes a meta-type in practice.  It might prevent some  
> lookups initially, but should a client ask for items that were not  
> in the cache, the server would have to remember which algorithms it  
> saw in the DNSKEY response to know which it could usefully retrieve  
> with follow-on queries.  For example, a particular stub might  
> support more algorithms than the cache it asks, so additional  
> queries (including additional queries for the DNSKEY to obtain its  
> signatures) would have to be generated.
>
> (2)  This solves a problem I do not fully believe is a problem, that  
> of TCP fallback.  I've said it before, but chat servers, web  
> servers, and other types of TCP-based servers handle many, many  
> connections/sec and many, many sustained clients today.  I don't  
> understand why DNS is different here, excepting perhaps that we have  
> not encountered this situation until now.
>
> (3)  It solves a problem that I do not fully believe is a problem,  
> that of fragmented packets.  There is no solid solution in this  
> proposal that it WILL get packets through, only that it might have a  
> better chance to do so.  Key rollover will still cause large packets  
> and/or TCP fallback, which means only during rollover events will  
> badness occur.  I'd rather it occur all the time rather than only in  
> some situations.

So, I don't completely understand this.  The PMTU problem is actually  
observable, so why are you saying it doesn't exist?  There are  
numerous zones for which this can be seen.  Also, I think it is  
important to note that a TC bit is commonly interpreted to mean, "do  
TCP now."  However, this does not need to be the case, and RFC 2671  
does not advocate that approach either.

Maybe before this descends too quickly, would you mind clarifying why  
you don't believe it is a problem?

>
>
> (4)  I believe the knowledge it would allow to be gathered -- that  
> of which algorithms, hashes, etc. were in common use -- is very  
> valuable. Perhaps a draft on "voluntary reporting of server  
> capabilities" would be useful, where the data would be anonymous,  
> infrequently (order days at least) reported, and collected into  
> reports.  Knowing that RSA/SHA1 is not used any longer is very good  
> information to know in terms of deprecating protocols, but using  
> that as a filter seems unwise to me.

fwiw, this is available on the front page of:
	http://secspider.cs.ucla.edu/
under "Distribution of key algorithms in use."  Is that not a  
sufficient summary?

Eric
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)

iEYEARECAAYFAkpxkisACgkQK/tq6CJjZQKB/ACeN6aqvjcsBEFOKaPaf2m3ioXO
dIMAoIOR7rwumf5N6oE/TSmSb4IoA+qt
=r7Ia
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email