IETF Logo Mail Archive

[DNSOP] Re: [Ext] New draft on collision free key tags in DNSSEC

John R Levine <johnl@taugh.com> Sat, 27 July 2024 04:07 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2591C17A743 for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 21:07:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.408
X-Spam-Level:
X-Spam-Status: No, score=-4.408 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="aad2nDtp"; dkim=pass (2048-bit key) header.d=taugh.com header.b="rP9ja+yB"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aS2K5nAMp7sl for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 21:06:55 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90164C1840CD for <dnsop@ietf.org>; Fri, 26 Jul 2024 21:06:55 -0700 (PDT)
Received: (qmail 22460 invoked from network); 27 Jul 2024 04:06:54 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=57ba66a4725e.k2407; bh=ERCUZFGMYnFt6ttvq9hgUe7WtX2/eG7LDhixON4XuPo=; b=aad2nDtpyQGeYt3aJEnWqyibyyMVVlIEsPr3MGY8olokQB1PvnL5+mw6fIqAnURgUddGe2FfsqFM+jMMB2J3pJKleVXMhRZ8QZsAEvmOddb5o7Is4tSb7NjkEs2Orl84hA7vKDN/m1NDVc+A1l7GPh5sC3vh1QYWDK7JJF6spE3i34kAUUHVMqOtYXLPptmIS5Ymgkwb+RuPAMpMRl0De9fM3irwZYL6TXJoLXvoheK6cGo5jB3R9nf6yz4TTsSE6bmXm8+uvhBDw37BAcRQLYvV062of3c2O6WsCBHOVVSknF4shjuRlsSIhlGM43mh+HvKeFAqP/mJ3Kk/JRKUDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=57ba66a4725e.k2407; bh=ERCUZFGMYnFt6ttvq9hgUe7WtX2/eG7LDhixON4XuPo=; b=rP9ja+yBM/jRwGHM0sOX/OVZptPhYj2DJeWwmN83jQebwUm2y8+cTZ0akfUlUEqLFoQmOSno/iLd6Ut28ro2WlWTjwAqlH0eCqDUYcQfIuR4COMnH7ddwgk/Fn3UsyY+GIbZJ36pAv2R60e3JXHXtKlyoL6cMa8/VmqUK0biu9KJ4YkRSXdxTHMld1cwHfkcmFciCbg9R+SylSr1S5bCrCxAAeFKRLlkoKL8BfDvR7coyB5kMWfl62PeJ5cBJdNXNuo70m4f4IPuQD0o46DXCW6e9CwIFW4DpWKi2pT44ljdvZEfxat3E7FHX28XBRhW/gq4MopidzOBaAwRoQvsow==
Received: from ary.local ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 27 Jul 2024 04:06:54 -0000
Received: by ary.local (Postfix, from userid 501) id D86FB90542C4; Fri, 26 Jul 2024 21:06:52 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by ary.local (Postfix) with ESMTP id 84BD790542A6; Fri, 26 Jul 2024 21:06:52 -0700 (PDT)
Date: Fri, 26 Jul 2024 21:06:52 -0700
Message-ID: <0f86afa6-416f-1eb2-a977-794c7d3f0fff@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Paul Wouters <paul@nohats.ca>, Mark Andrews <marka@isc.org>
X-X-Sender: johnl@ary.local
In-Reply-To: <C9A1D9BF-30C7-4507-BC49-9B772B4ACB6B@nohats.ca>
References: <3DA28E74-88A9-4EDB-84D3-F862272072AF@isc.org> <C9A1D9BF-30C7-4507-BC49-9B772B4ACB6B@nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-ID-Hash: TCQM3DEC2Z4HY44MA3MR3TDAI7TPV52Y
X-Message-ID-Hash: TCQM3DEC2Z4HY44MA3MR3TDAI7TPV52Y
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] New draft on collision free key tags in DNSSEC
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2EHD4alcafEhBRk4GNmWS5SDXcw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

>> Even if we where to go with one failure is allowed we still need to
>> write down the new rules and there will be complaints that we are
>> retrospectively changing the rules.  This is grand fathering in the
>> old rules for the old algorithms.
>
> Write a BCP, not a standard disallowing key id clashes.

Right.  We all know that flag days never happen, so that resolvers will 
always have to include too many keytags or signatures in the list 
of things to limit the work.  So remind people that there's going to be a 
limit, and if you are smart your zones won't go anywhere near it, and move 
on.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.35.0 | Report a Bug | By Email | System Status