IETF Logo Mail Archive

Re: [dnsext] MAR proposal #2: Allowing pre-publishing of DNSKEYs

Paul Hoffman <paul.hoffman@vpnc.org> Sat, 02 April 2011 06:38 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C15EF28C133 for <dnsext@core3.amsl.com>; Fri, 1 Apr 2011 23:38:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.556
X-Spam-Level:
X-Spam-Status: No, score=-102.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cd7R+2UFQEh3 for <dnsext@core3.amsl.com>; Fri, 1 Apr 2011 23:38:06 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2001:4870:a30c:41::81]) by core3.amsl.com (Postfix) with ESMTP id A548928C0F8 for <dnsext@ietf.org>; Fri, 1 Apr 2011 23:38:05 -0700 (PDT)
Received: from [10.0.5.10] ([212.47.23.197]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p326dhRu081223 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <dnsext@ietf.org>; Fri, 1 Apr 2011 23:39:45 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1084)
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <alpine.BSF.2.00.1104011024530.92106@fledge.watson.org>
Date: Sat, 02 Apr 2011 08:39:43 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <9BBFDA5E-2921-4C8D-8564-2EA67648C403@vpnc.org>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <22284.1290447209@nsa.vix.com> <4CF4D54B.5000407@nlnetlabs.nl> <20110310223438.978E9C0E902@drugs.dv.isc.org> <4D79DDFA.3010006@nlnetlabs.nl> <alpine.BSF.2.00.1103140901170.99213@fledge.watson.org> <20110314213319.A2799C8CA0B@drugs.dv.isc.org> <alpine.BSF.2.00.1103141750530.74870@fledge.watson.org> <a06240800c9a50cf4632a@10.31.200.110> <AANLkTimUUa5zkr+hZH4jR-euENg_n=9EwtRVBN-cxr9_@mail.gmail.com> <a06240802c9a7b6cb4cc3@192.168.1.105> <AANLkTin+hMZ-27VjkQq7_44zNguMiefhxbgGD+-XZxPP@mail.gmail.com> <a06240802c9a7e0807069@10.31.200.117> <AANLkTi=4co5mS3RYhK1BvUMOm54wgNAMeKtk3_Zm0ff1@mail.gmail.com> <a06240802c9a93d762e13@[10.31.200.112]> <a06240803c9a9417e1fe8@[10.31.200.112]> <4D938CC3.1020103@nlnetlabs.nl> <a06240800c9ba6184d535@[10.31.200.112]> <4D94DF2B.1040407@nlnetlabs.nl> <a06240800c9bb6f86edae@[10.31.200.112]> <alpine.BSF.2.00.1104011022030.92106@fledge.watson.org> <alpine.BSF.2.00.1104011024530.92106@fl! edge.watson.org>
To: DNSEXT Working Group <dnsext@ietf.org>
X-Mailer: Apple Mail (2.1084)
Subject: Re: [dnsext] MAR proposal #2: Allowing pre-publishing of DNSKEYs
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Apr 2011 06:38:07 -0000

On Apr 1, 2011, at 4:28 PM, Samuel Weiler wrote:

> For additional operational and zone-signing flexibility, particularly
> to allow the publication of a DNSKEY of a new algorithm before a zone
> is fully signed with that algorithm, we propose to change these rules
> to use ONLY the DS RRset for algorithm signalling, not the DNSKEY
> RRset.
> 
> Zones will be required to be signed with each algorithm (though not
> necessarily eack key) present in the zone's DS RRset or configured
> trust anchors.

I oppose this because it makes DNSSEC more brittle for no good cryptographic reason. If a zone no longer trusts a signature algorithm, they can stop using it.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email