[dnsext] comments on draft-crocker-dnssec-algo-signal-03
Michael Graff <mgraff@isc.org> Wed, 29 July 2009 14:45 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 894BB3A6EA3; Wed, 29 Jul 2009 07:45:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.555
X-Spam-Level:
X-Spam-Status: No, score=-102.555 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pk1vcb9nuM+O; Wed, 29 Jul 2009 07:45:05 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id AC7BC3A6CFB; Wed, 29 Jul 2009 07:45:05 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1MWALx-0005E9-CG for namedroppers-data0@psg.com; Wed, 29 Jul 2009 14:42:01 +0000
Received: from [2001:4f8:3:ba:203:47ff:fe6c:4a31] (helo=white.flame.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <mgraff@isc.org>) id 1MWALt-0005Cy-EF for namedroppers@ops.ietf.org; Wed, 29 Jul 2009 14:41:59 +0000
Received: from white.flame.org (localhost [127.0.0.1]) by white.flame.org (Postfix) with ESMTP id D2B04327A78 for <namedroppers@ops.ietf.org>; Wed, 29 Jul 2009 14:41:56 +0000 (UTC)
Received: from red-dragon.road.flame.org (unknown [IPv6:2001:df8:0:16:213:46ff:feb9:ea2a]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by white.flame.org (Postfix) with ESMTP id A9422327A6D for <namedroppers@ops.ietf.org>; Wed, 29 Jul 2009 14:41:55 +0000 (UTC)
Message-ID: <4A702AE1.10201@isc.org>
Date: Wed, 29 Jul 2009 05:56:33 -0500
From: Michael Graff <mgraff@isc.org>
User-Agent: Thunderbird 2.0.0.21 (X11/20090622)
MIME-Version: 1.0
To: namedroppers@ops.ietf.org
Subject: [dnsext] comments on draft-crocker-dnssec-algo-signal-03
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
Let me state some reasons I'm opposed to this draft's purpose, even though I think some part of it would be very interesting to pursue. (1) This becomes a meta-type in practice. It might prevent some lookups initially, but should a client ask for items that were not in the cache, the server would have to remember which algorithms it saw in the DNSKEY response to know which it could usefully retrieve with follow-on queries. For example, a particular stub might support more algorithms than the cache it asks, so additional queries (including additional queries for the DNSKEY to obtain its signatures) would have to be generated. (2) This solves a problem I do not fully believe is a problem, that of TCP fallback. I've said it before, but chat servers, web servers, and other types of TCP-based servers handle many, many connections/sec and many, many sustained clients today. I don't understand why DNS is different here, excepting perhaps that we have not encountered this situation until now. (3) It solves a problem that I do not fully believe is a problem, that of fragmented packets. There is no solid solution in this proposal that it WILL get packets through, only that it might have a better chance to do so. Key rollover will still cause large packets and/or TCP fallback, which means only during rollover events will badness occur. I'd rather it occur all the time rather than only in some situations. (4) I believe the knowledge it would allow to be gathered -- that of which algorithms, hashes, etc. were in common use -- is very valuable. Perhaps a draft on "voluntary reporting of server capabilities" would be useful, where the data would be anonymous, infrequently (order days at least) reported, and collected into reports. Knowing that RSA/SHA1 is not used any longer is very good information to know in terms of deprecating protocols, but using that as a filter seems unwise to me. --Michael -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] comments on draft-crocker-dnssec-algo-si… Michael Graff
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bert hubert
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Wouters
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Jeffrey A. Williams
- [dnsext] dnssec-algo-signal & Roy bmanning
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Joe Abley
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Michael Graff
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Michael Graff
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bmanning
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bert hubert
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Andreas Gustafsson
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bmanning
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Jeffrey A. Williams
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Mark Andrews
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Niall O'Reilly
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bert hubert
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Michael Graff
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Michael Graff
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Douglas Otis
- [dnsext] Re: comments on draft-crocker-dnssec-alg… Anand Buddhdev
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Bob Halley
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… bert hubert
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Nicholas Weaver
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Douglas Otis
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Nicholas Weaver
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Eric Osterweil
- edns fallback (was Re: [dnsext] comments on draft… Paul Vixie
- Re: [dnsext] comments on draft-crocker-dnssec-alg… Douglas Otis
- Re: edns fallback (was Re: [dnsext] comments on d… Eric Osterweil
- Re: edns fallback (was Re: [dnsext] comments on d… Douglas Otis
- Re: edns fallback (was Re: [dnsext] comments on d… Paul Vixie
- Re: edns fallback (was Re: [dnsext] comments on d… Mark Andrews
- Re: edns fallback (was Re: [dnsext] comments on d… Paul Wouters