Re: [dnsext] comments on draft-crocker-dnssec-algo-signal-03
Michael Graff <mgraff@isc.org> Thu, 30 July 2009 13:02 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6FDAB28C1EE; Thu, 30 Jul 2009 06:02:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.683
X-Spam-Level:
X-Spam-Status: No, score=-101.683 tagged_above=-999 required=5 tests=[AWL=-0.203, BAYES_00=-2.599, HELO_EQ_IP_ADDR=1.119, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KRqiZC8AS79r; Thu, 30 Jul 2009 06:02:14 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4ECA928C177; Thu, 30 Jul 2009 06:02:14 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MWVCp-000Lww-4I for namedroppers-data0@psg.com; Thu, 30 Jul 2009 12:57:59 +0000
Received: from [2001:4f8:3:ba:203:47ff:fe6c:4a31] (helo=white.flame.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <mgraff@isc.org>) id 1MWVCk-000Lun-DX for namedroppers@ops.ietf.org; Thu, 30 Jul 2009 12:57:56 +0000
Received: from white.flame.org (localhost [127.0.0.1]) by white.flame.org (Postfix) with ESMTP id C02C1327A85; Thu, 30 Jul 2009 12:57:53 +0000 (UTC)
Received: from [130.129.23.145] (dhcp-1791.meeting.ietf.org [130.129.23.145]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by white.flame.org (Postfix) with ESMTP id C7041327A7F; Thu, 30 Jul 2009 12:57:52 +0000 (UTC)
References: <4A702AE1.10201@isc.org> <80C086A4-2FF5-4F76-9AF9-05986637C423@cs.ucla.edu>
Message-Id: <E9BD318E-A9F3-4259-99D7-713775FD432D@isc.org>
From: Michael Graff <mgraff@isc.org>
To: Eric Osterweil <eoster@cs.ucla.edu>
In-Reply-To: <80C086A4-2FF5-4F76-9AF9-05986637C423@cs.ucla.edu>
Content-Type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
X-Mailer: iPhone Mail (7A341)
Mime-Version: 1.0 (iPhone Mail 7A341)
Subject: Re: [dnsext] comments on draft-crocker-dnssec-algo-signal-03
Date: Thu, 30 Jul 2009 14:57:48 +0200
Cc: "namedroppers@ops.ietf.org" <namedroppers@ops.ietf.org>
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
I remain unconvinced that tcp is evil. Re secspider yes it is not as useful. It measures probed algorithms not reported ability to use algorithms. --Michael On Jul 30, 2009, at 14:29, Eric Osterweil <eoster@cs.ucla.edu> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On Jul 29, 2009, at 12:56 PM, Michael Graff wrote: > >> Let me state some reasons I'm opposed to this draft's purpose, even >> though I think some part of it would be very interesting to pursue. >> >> (1) This becomes a meta-type in practice. It might prevent some >> lookups initially, but should a client ask for items that were not >> in the cache, the server would have to remember which algorithms it >> saw in the DNSKEY response to know which it could usefully retrieve >> with follow-on queries. For example, a particular stub might >> support more algorithms than the cache it asks, so additional >> queries (including additional queries for the DNSKEY to obtain its >> signatures) would have to be generated. >> >> (2) This solves a problem I do not fully believe is a problem, >> that of TCP fallback. I've said it before, but chat servers, web >> servers, and other types of TCP-based servers handle many, many >> connections/sec and many, many sustained clients today. I don't >> understand why DNS is different here, excepting perhaps that we >> have not encountered this situation until now. >> >> (3) It solves a problem that I do not fully believe is a problem, >> that of fragmented packets. There is no solid solution in this >> proposal that it WILL get packets through, only that it might have >> a better chance to do so. Key rollover will still cause large >> packets and/or TCP fallback, which means only during rollover >> events will badness occur. I'd rather it occur all the time rather >> than only in some situations. > > So, I don't completely understand this. The PMTU problem is > actually observable, so why are you saying it doesn't exist? There > are numerous zones for which this can be seen. Also, I think it is > important to note that a TC bit is commonly interpreted to mean, "do > TCP now." However, this does not need to be the case, and RFC 2671 > does not advocate that approach either. > > Maybe before this descends too quickly, would you mind clarifying > why you don't believe it is a problem? > >> >> >> (4) I believe the knowledge it would allow to be gathered -- that >> of which algorithms, hashes, etc. were in common use -- is very >> valuable. Perhaps a draft on "voluntary reporting of server >> capabilities" would be useful, where the data would be anonymous, >> infrequently (order days at least) reported, and collected into >> reports. Knowing that RSA/SHA1 is not used any longer is very good >> information to know in terms of deprecating protocols, but using >> that as a filter seems unwise to me. > > fwiw, this is available on the front page of: > http://secspider.cs.ucla.edu/ > under "Distribution of key algorithms in use." Is that not a > sufficient summary? > > Eric > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.9 (Darwin) > > iEYEARECAAYFAkpxkisACgkQK/tq6CJjZQKB/ACeN6aqvjcsBEFOKaPaf2m3ioXO > dIMAoIOR7rwumf5N6oE/TSmSb4IoA+qt > =r7Ia > -----END PGP SIGNATURE----- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] comments on draft-crocker-dnssec-algo-si… Michael Graff
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bert hubert
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Wouters
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Jeffrey A. Williams
- [dnsext] dnssec-algo-signal & Roy bmanning
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Joe Abley
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Michael Graff
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Michael Graff
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bmanning
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bert hubert
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Andreas Gustafsson
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bmanning
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Jeffrey A. Williams
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Mark Andrews
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Niall O'Reilly
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bert hubert
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Michael Graff
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Michael Graff
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Douglas Otis
- [dnsext] Re: comments on draft-crocker-dnssec-alg… Anand Buddhdev
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Bob Halley
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bert hubert
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Nicholas Weaver
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Douglas Otis
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Nicholas Weaver
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- edns fallback (was Re: [dnsext] comments on draft… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Douglas Otis
- Re: edns fallback (was Re: [dnsext] comments on d… Eric Osterweil
- Re: edns fallback (was Re: [dnsext] comments on d… Douglas Otis
- Re: edns fallback (was Re: [dnsext] comments on d… Paul Vixie
- Re: edns fallback (was Re: [dnsext] comments on d… Mark Andrews
- Re: edns fallback (was Re: [dnsext] comments on d… Paul Wouters