Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

Ted Lemon <mellon@fugue.com> Tue, 11 July 2017 11:05 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 057E912ECC7 for <dnsop@ietfa.amsl.com>; Tue, 11 Jul 2017 04:05:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63RMaU6N0FwA for <dnsop@ietfa.amsl.com>; Tue, 11 Jul 2017 04:05:44 -0700 (PDT)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8577412869B for <dnsop@ietf.org>; Tue, 11 Jul 2017 04:05:44 -0700 (PDT)
Received: by mail-qk0-x22c.google.com with SMTP id 16so98534282qkg.2 for <dnsop@ietf.org>; Tue, 11 Jul 2017 04:05:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=RN0qNGBHD8IUCWxlPCM7a6zfdgX2xK8t5/NVzmetNdg=; b=qLBBQTnRk+gmL6LrE8mloZ9Dfg9vOJgvlw5aaHvAX10a11uh/cF65EqEzjF8yptNnz /oXrzOhuKDE1VlPB7Pn617hEQHBQb93MTVBj9uORx/AzrHzqILv2Q4m2aS+TyIbKtz+y j9qUKmRMtCinIMghbzKxbOsYQRMOsSVhM1Xt3YJn61EJen61tKEar1ZQx7SJCXOH1ruk iVOcYbIvt6GtVn1bKWsvvugj+rmJSdFblsFV0AnW8jCtTw5uRfpHxdgb6GmfSyw4Rhsk M8r7rwh1bokTf1KePmIlhi3PDAdiLxqX9Y1XaluTlWKHqPnI/tGxYNXwykwDpkw6rNew bNmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=RN0qNGBHD8IUCWxlPCM7a6zfdgX2xK8t5/NVzmetNdg=; b=QfzqNS1QYsqcppsJpOifq5UjZ6w3tRbMBzi0FJfLvmdIM7HSYpsuHV3qBOesg1pN/K 9SiakEVDzc6TEDxEu9pVwAIeWw8a8mKZstJbezHDbT6b5Fo3vjK59NWSWo1hDHdPHEWe vm9yi/ysQHpmXGnDkOSME6Sk4EQYhUBYm/ry538A/3JK8xiI0y1/3jydBfZ6ICYBZ4yZ VEmodE88FopFWzl5sAR7f04iGcK4GnD/tGx68IctwJyY2Yw0CvdHRyL5DZIyzwMfws+K WNpMYz9/0fjXfNITf4rK3axVpZr5jwo6kZpoEdpqDsQsNb5GP2vTI0LQNIWEFLhuo3lB 7UPA==
X-Gm-Message-State: AIVw111VOLFk7BB6dmP4m+ymG9M29esi+DKM+tAmS5bPymoGD7ylWgAN csimpFlv7LOmXwdwNfum7Q==
X-Received: by 10.200.40.34 with SMTP id 31mr10391918qtq.22.1499771143646; Tue, 11 Jul 2017 04:05:43 -0700 (PDT)
Received: from macbook-pro-6.w50.lede.home (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id t43sm11658484qth.30.2017.07.11.04.05.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 04:05:42 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <3554CD07-1088-4378-ACC8-83E4E8E767D5@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D4F03DAC-72B7-4930-A2C8-D47941054EA6"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 11 Jul 2017 07:05:41 -0400
In-Reply-To: <alpine.LRH.2.21.1707101840110.2811@bofh.nohats.ca>
Cc: Shumon Huque <shuque@gmail.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
To: Paul Wouters <paul@nohats.ca>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CA+nkc8BiSMSNqa9FifNAqWiZuf7prVjD6EKSnbFjq_EWi8kSoA@mail.gmail.com> <CAHPuVdVWi-4nQeoBuyKe7f81mieVpznFwd25Nb5at6t-JpYzUA@mail.gmail.com> <CAHPuVdUnUhfVtvgBWbyXD1fWjz04QMKp59Ar1HNonmAkJeLj6A@mail.gmail.com> <alpine.LRH.2.21.1707101641220.31889@bofh.nohats.ca> <CAHPuVdVFyFrXxmpJg-hO0Wv_SD9FMpzYZjWtGFZeZA-9hFQaiA@mail.gmail.com> <alpine.LRH.2.21.1707101840110.2811@bofh.nohats.ca>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2wjaomwSV4ivv5LFDXB7K0-wI18>
Subject: Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 11:05:46 -0000

On Jul 10, 2017, at 6:55 PM, Paul Wouters <paul@nohats.ca> wrote:
> Okay, that explains it better. but does also confirm you basically want
> to be permanently in this state. Because every few years you will have
> new fancy algorithms. As a community we should really roll out updated
> algorithms faster and deprecate obsoleted algorithms faster.

Just a reminder: a few years we were talking about how to bootstrap trust on devices that had been on the shelf for longer than the life of the root key.   Now you are proposing that we roll algorithms faster than that.   I'm not saying you're wrong, but there are operational implications to this position.