IETF Logo Mail Archive

[DNSOP] Fwd: DNSSEC algorithm used on ietf.org

Petr Menšík <pemensik@redhat.com> Wed, 23 March 2022 14:31 UTC

Return-Path: <pemensik@redhat.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DFBB3A15BF for <dnsop@ietfa.amsl.com>; Wed, 23 Mar 2022 07:31:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vt2FrwQrLI10 for <dnsop@ietfa.amsl.com>; Wed, 23 Mar 2022 07:31:08 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE4F23A15C7 for <dnsop@ietf.org>; Wed, 23 Mar 2022 07:31:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1648045866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=rZUFv3kT+0sloACwW91EfJ2/fRkuNAAyJEJk3WT3NKg=; b=XCViN+96CTWJVxUCJKBwvnN8G2SGonYX7x3xgBOZCGy9pDUm+ncu5AtfZBdVY40LQb/bIU LFTNK4qXDzAw3NcfpfnhG009WzULADcRwuEw3/YzhCOgkQP+xu90v7niaBWrDjsY10Ij+Y a04sxAw1/reejmKhoBdqlLjSGA5yQsM=
Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-180-q9zEkVtwN_SpFZz5SBBBRg-1; Wed, 23 Mar 2022 10:31:00 -0400
X-MC-Unique: q9zEkVtwN_SpFZz5SBBBRg-1
Received: by mail-ej1-f72.google.com with SMTP id h22-20020a1709060f5600b006b11a2d3dcfso920813ejj.4 for <dnsop@ietf.org>; Wed, 23 Mar 2022 07:31:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:references:to:from:organization:in-reply-to; bh=rZUFv3kT+0sloACwW91EfJ2/fRkuNAAyJEJk3WT3NKg=; b=dI2JgH8z/YKFxT/wExw3hsNcqZLj2uUuKzVVPk5ZOVF6540SKxrWrakW1GW6SMlnKi wEZNltzbAvVIT813b0U5t8LtS3rSm8SgnCKFOuX9W/c5wIQJPMFGflmKiBIZZcgmRECE 6FuWE2/0DTXSa6sATIYkizKw2JJZMrE64g6Wo20Sy6hkvpCX9XU/U6VfI3BZhzHIVdqO lUqvlLPrUVzIsxOzWvircriDgXAkUbJWug0S0fdfDoVR6Fb96XX1SGnrnBFNzytOuRRK SGv/333faKr3tXv5J147BSI0LS7gZghJHhufppb8Mw9lnPwF5wOgdkALuxLKSacCi7rg Wecg==
X-Gm-Message-State: AOAM530lvubFQUKhrZoJZrQ1N3OubD0p7PKSTZS3+WM+4R5gtwFk1aJ5 R2m3hGk1lL/4zTnpYcJdRlketnJYqwQML6/SmNUAvxfWEDNg9JbvbBYYzvT6kkS6hRm94lfpbH0 INnqW+DGTeZZEtBertWCyi1Mh+YO9YHpg3lTqdwCyJLQ4/41wBXl5vcI4jw==
X-Received: by 2002:a17:907:a0c9:b0:6df:eaef:d93d with SMTP id hw9-20020a170907a0c900b006dfeaefd93dmr196497ejc.369.1648045859020; Wed, 23 Mar 2022 07:30:59 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzKCVuDmKV0X7NhzIT/VSachIAcx7vARxVHp3ib8zWCDdsR7k6Ftf0QP3ZPrOxlUaYe8UCO0A==
X-Received: by 2002:a17:907:a0c9:b0:6df:eaef:d93d with SMTP id hw9-20020a170907a0c900b006dfeaefd93dmr196473ejc.369.1648045858753; Wed, 23 Mar 2022 07:30:58 -0700 (PDT)
Received: from [10.43.2.33] (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id d24-20020a1709067a1800b006e021f4c1c3sm12005ejo.166.2022.03.23.07.30.58 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 23 Mar 2022 07:30:58 -0700 (PDT)
Message-ID: <f45a40c7-f265-8e39-963b-2f6434afa18c@redhat.com>
Date: Wed, 23 Mar 2022 15:30:57 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
References: <d383a88c-46cc-8252-3670-b30f68acdf44@redhat.com>
To: dnsop@ietf.org
From: Petr Menšík <pemensik@redhat.com>
Organization: Red Hat
In-Reply-To: <d383a88c-46cc-8252-3670-b30f68acdf44@redhat.com>
X-Forwarded-Message-Id: <d383a88c-46cc-8252-3670-b30f68acdf44@redhat.com>
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pemensik@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: multipart/alternative; boundary="------------pW2kJ0A9eEf0q9vYK30P08hn"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1FPN4VXBxHPNIrrQjlTtFGBhtTU>
Subject: [DNSOP] Fwd: DNSSEC algorithm used on ietf.org
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 14:31:13 -0000

Is this workgroup more appropriate to drive possible change? Has it any
means to modify ietf.org infrastructure?

-------- Forwarded Message --------
Subject: 	DNSSEC algorithm used on ietf.org
Date: 	Wed, 23 Mar 2022 12:28:39 +0100
From: 	Petr Menšík <pemensik@redhat.com>
Organization: 	Red Hat
To: 	tools-discuss@ietf.org



Hello,

I work in Red Hat on DNS related products. We were analysing impact on
disabling algorithm RSASHA1. It is in a strange sitation, because IETF
itself deprecated this algorithm [1], but is using it for all documents
it publishes. For some reason site stats.dnssec-tools.org gives it as an
example [2]. It seems update of Key signing key (ksk) and algorithm
should be upgraded to more recent algorithm. There is also informational
RFC 7583 [3], which should help with it.

Is there already plan to upgrade DNSSEC algorithm? Is there any specific
reason why it stayed unchanged?

I were directed here by the support of ietf. Might be also interesting
topic for dnsop WG.

Were upgrade already considered?

Best Regards,
Petr Menšík

1. https://datatracker.ietf.org/doc/html/rfc8624#section-3
2. https://stats.dnssec-tools.org/explore/
3. https://datatracker.ietf.org/doc/html/rfc7583

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

v2.39.1 | Report a Bug | By Email | System Status