Re: [DNSOP] Call for Adoption draft-wouters-sury-dnsop-algorithm-update

Paul Wouters <> Fri, 03 March 2017 22:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 86E97129418 for <>; Fri, 3 Mar 2017 14:56:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id J-kkfJZ1XDfY for <>; Fri, 3 Mar 2017 14:56:20 -0800 (PST)
Received: from ( [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9EF48124281 for <>; Fri, 3 Mar 2017 14:56:19 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id 3vZl0c4jbmz9K; Fri, 3 Mar 2017 23:56:16 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1488581776; bh=PgSN1SwkbrPp4X6HbSTr4mlxh/rvAHwivAQyFFMxPhg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=dreQd5Asrcup4zZn7n11+vsKIVmBgOJ5jE2rCieWXfAesppV//wfa8I2Uvwml801q DTTEB3rqifMz7BuqNsxwAvly4odP+V4rm/xbsbzqYFQ87BavsDwhq2qZyLYAqX+2F3 3iiTTeVQEIp4NgzwbASL51dPQ6SUGmx3UfUXbVf0=
X-Virus-Scanned: amavisd-new at
Received: from ([IPv6:::1]) by localhost ( [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 02ZL5WSojdcI; Fri, 3 Mar 2017 23:56:15 +0100 (CET)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS; Fri, 3 Mar 2017 23:56:14 +0100 (CET)
Received: by (Postfix, from userid 1000) id B95B2446AEA; Fri, 3 Mar 2017 17:56:13 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 B95B2446AEA
Received: from localhost (localhost []) by (Postfix) with ESMTP id A2F0541D9FEE; Fri, 3 Mar 2017 17:56:13 -0500 (EST)
Date: Fri, 03 Mar 2017 17:56:13 -0500
From: Paul Wouters <>
To: Petr Špaček <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] Call for Adoption draft-wouters-sury-dnsop-algorithm-update
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Mar 2017 22:56:21 -0000

On Fri, 3 Mar 2017, Petr Špaček wrote:

> To improve the document I propose:
> - somehow add shortened version of (sometimes implied) advices from 1.2.
> Updating Algorithm Requirement Levels into SHOULD+/SHOULD-/MUST-
> definitions in 2.  Conventions Used in This Document.
> Examples I would like to see:
>   SHOULD-   This term means the same as SHOULD.  However, an algorithm
>             marked as SHOULD- may be deprecated to a MAY in a future
>             version of this document. It SHOULD be supported for
>             interoperability reasons.
>             Implementations which give control over used algorithms
>             to user SHOULD NOT use algorithms labeled with "SHOULD-"
>             as default choice. Algorithms with label "MUST" SHOULD
>             [yuck, rephrase this] be preferred.

In the past for ipsec, we have stayed away from telling implementers
what defaults to use. Perhaps this makes a little more sense in the
DNSSEC context, so that's something we should consider.

> Speaking of 3.  Algorithm Selection, I would like to see definitions of
> columns headers "DNSSEC Signing", "DNSSEC Validation", "DNSSEC
> Delegation" and "DNSSEC Validation" again either in 2.  Conventions Used
> in This Document or in text preceding the tables.


> Table headers in 3.1.  DNSKEY Algorithms seem somehow clear (signer vs.
> validator) but table 3.2.  DS and CDS Algorithms seems vague to me.
> My guesses:
> - "DNSSEC Validation" = usage in configuration file as Trust Anchor

What we mean is "consuming DS/CDS records"

> - "DNSSEC Delegation" = other uses than Trust Anchor in config file

And here we mean "producing DS/CDS records"

> Section 5.  Operational Considerations could emphasise recommendation to
> phase out SHOULD- algorithms in signers and other recommendations for
> MUST- etc. should be added here as well (or the section can be somehow
> merged with 2. Conventions)

The idea is that those terms indicate that already. And Section 5 is
meant to point to potential pitfalls for implementers.

> Editorial nits:
> Section 3.1.  DNSKEY Algorithms would be much easier to follow if text
> comments were labeled with algorithm number from the table and ordered
> by number. E.g.:
>   1: RSAMD5 is not widely deployed and there is an industry-wide trend
>      to deprecate MD5 usage.

It was not done like that because although in this case we felt we
should describe all table entries, that is not neccesarilly true in
the future. So we did not want to make it an enumerated list. I'll
think about how to increase the readability.

> Let me know if something above is not clear ;-)

I'd be interested if you as an implementer would be willing to follow
these recommendations. And for instance would stop creating new zones
with SHA1, or would stop producing SHA1 based DS records.