Re: [DNSOP] [Ext] Post quantum DNSSEC ?
"John Levine" <firstname.lastname@example.org> Tue, 15 October 2019 21:26 UTC
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43549120052 for <email@example.com>; Tue, 15 Oct 2019 14:26:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=Hcc0A1ws; dkim=pass (1536-bit key) header.d=taugh.com header.b=QYrRmZkA
Received: from mail.ietf.org ([126.96.36.199]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id meQkmWSu4WBG for <firstname.lastname@example.org>; Tue, 15 Oct 2019 14:26:02 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 751FB12004A for <email@example.com>; Tue, 15 Oct 2019 14:26:02 -0700 (PDT)
Received: (qmail 92142 invoked from network); 15 Oct 2019 21:26:01 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=167e9.5da63969.k1910; firstname.lastname@example.org; bh=AHbNJOIM3YCeIzYS3zfe41uzk/TJIaXd70ZIhljqyjU=; b=Hcc0A1ws0Ww5JMhfUeKZP6c2ge7aPnuQ+qBVlDkwwzvHbgMHMp0yspYitAYIoAVpBvInXpah3lgpr6QIZR7LfZeCxXrGT7pSShlXmi9jbm7RkIzyKf8hBac/9E8TFAgJZHyIeYc2NGjJgiIRK4skfgaGPKh3pLDgMyfQaI7zkGOLLhj0B6FPEA9BBto7If4kvzAaxVj4NY8OcdmD6FdtLeDwdnHIWYLUlYpcPDMQNfbnEBIk5e+X9G4S7tjZDLqi
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=167e9.5da63969.k1910; email@example.com; bh=AHbNJOIM3YCeIzYS3zfe41uzk/TJIaXd70ZIhljqyjU=; b=QYrRmZkAGzYEkf+ETtph5dPIYXX401s1eiKbpELhVB9rfm0RSPXEFWAtUkD1hKI2NKNaUmBMopvAAQt4A7G5uzYK4u/xLYQiXbNeTDobn8nSlWxkhaCwaa6awuGMmxnvpyXYoSPKJzYOTtmSRDlxwrN07Dh2t0WHAuDplR5YZODqLcdkP2LEIc5FOLnCqNMzZASfPuDrE2xA1whW53p/sAocXa0rWxWCa5uILoh/j8kW5AzZKbzp9b3hebjcf35G
Received: from ary.local ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, firstname.lastname@example.org) via TCP6; 15 Oct 2019 21:26:00 -0000
Received: by ary.local (Postfix, from userid 501) id 58352CBB977; Tue, 15 Oct 2019 17:26:00 -0400 (EDT)
Date: 15 Oct 2019 17:26:00 -0400
From: "John Levine" <email@example.com>
Organization: Taughannock Networks
Content-type: text/plain; charset=utf-8
Subject: Re: [DNSOP] [Ext] Post quantum DNSSEC ?
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:email@example.com?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 21:26:05 -0000
In article <firstname.lastname@example.org> you write: >On 10/15/19 12:11 PM, John R Levine wrote: >> I just heard a most interesting talk at M3AAWG about postquantum crypto and particularly about the NIST candidate >algorithms. Many of them have much larger key or signature sizes than any current algorithm, like 10,000 bits or >more. Some are a lot slower than others. Has anyone been looking at how these algorithms would or would not work >with DNSSEC? > >Yes. (More specifically: https://datatracker.ietf.org/doc/draft-hoffman-c2pq/, which is very casually being worked >on in the CFRG.) > >Or, define "work with". Falling back to TCP for getting DNSKEY records might not be a big deal. Depends. A 1K key is one thing, a 50K key is another. If you are rotating keys so you have multiple key records, and the keys are large enough, what happens when the result packet is bigger than 64K? >Or, maybe wait until NIST has gotten more through the process, given that key size and signature size are among the >many factors they are considering. > >> NIST is accepting comments and the talk said they particularly want comments from industry on how this would >affect existing applications. The talk was by Brian LaMacchia, who opined it would e useful to send in some comments about how various increases in key size, signature size, and signing or verification speed would be likely to work with DNSSEC. It sounds like they're paying a lot of attention to TLS in their algo evaluations, a lot less to DNSSEC or DKIM or other protocols. I'll see if I can get his slide on the key and signature sizes for the candidate algorithms to be roughly as strong as a 3K RSA key. One of them would need a 500,000 bit key which makes me wonder what they were thinking.