IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons

Joe Abley <jabley@hopcount.ca> Wed, 06 January 2021 21:09 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB8503A113C for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 13:09:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id teSi58Cc-nYR for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 13:09:53 -0800 (PST)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 556A83A10DC for <dnsop@ietf.org>; Wed, 6 Jan 2021 13:09:53 -0800 (PST)
Received: by mail-qt1-x832.google.com with SMTP id v5so3026430qtv.7 for <dnsop@ietf.org>; Wed, 06 Jan 2021 13:09:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=odPKiAlgx8gc9uTdBsf7LzKb5wQEyQv61nqYXta516U=; b=JOEbG8qilX0am5X0+1P5UkDAWco+iRpzWS8rm65dC9uBkIpiVqOzx81wduidcrI3+R hoFwb+f0bkNJ0mRHUjepnAc6dC5Lktf/xW7V9SxRVrvPHwxoTjDWNosBzZ0a3hK6NXL3 W5Ow2a/z1Z+q1iiCzBuPaMrBpyCOEavd6B5IE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=odPKiAlgx8gc9uTdBsf7LzKb5wQEyQv61nqYXta516U=; b=ENk7kx+5KfB//XEWT6/1rMYoijqvlEXZCMMCztlUM0LkO5UpO5YPTuhm3tumSr1gvc ljqUHM4Zk9Df4VK+IT5/QvXF24LzmkYdKyrj8B6x9aLQcYYsdji5uz5evYdcqNIMjqRV MtmSS80rmMOR+LpNP1D9qajTBjScaGNyWXDeVMzQVByhr5WvEUqxYMku1mT9jlOLr/b3 LPlI+BX2ZmxsuKDUMekVmByk0ch3LPo1SJFGHvUiUdVm9VW5PtOTm9ATGVuejFeEvP3a bVDPe2S+03EXwziueu4/3HULjY9qXMwOdBA19vNKon/Mhv/XCx2y7m6vJ14BPrI3ABAy X/Aw==
X-Gm-Message-State: AOAM532mZGkCWNl7RKdgMyJohySbDYGm4v3csfVI9xWgxXh6veM9AJWq Di4N09sfK8NhyDE38td99s+DWA==
X-Google-Smtp-Source: ABdhPJz9xYzOHqW/lFceJ9twY8KTQtLAOoIEWLc8VCvx4m/XZTmpWyUEprLebOdDdJ7l1y47O/XjLQ==
X-Received: by 2002:aed:3b24:: with SMTP id p33mr5788653qte.299.1609967392217; Wed, 06 Jan 2021 13:09:52 -0800 (PST)
Received: from ?IPv6:2607:f2c0:e784:c7:e582:be50:db97:5425? ([2607:f2c0:e784:c7:e582:be50:db97:5425]) by smtp.gmail.com with ESMTPSA id x185sm2152246qkb.87.2021.01.06.13.09.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Jan 2021 13:09:51 -0800 (PST)
From: Joe Abley <jabley@hopcount.ca>
Message-Id: <4A86C6AF-CC67-41B4-8DD6-ACECFC97CCD6@hopcount.ca>
Content-Type: multipart/signed; boundary="Apple-Mail=_0856804C-2B35-46EF-B631-A26F4C5190BC"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.40.0.2.32\))
Date: Wed, 06 Jan 2021 16:09:49 -0500
In-Reply-To: <CAHbrMsC+Et+iva-3Z1dqHn0HO_njhJT3q-gmoJcyopML_WDCWw@mail.gmail.com>
Cc: Paul Wouters <paul@nohats.ca>, dnsop <dnsop@ietf.org>
To: Ben Schwartz <bemasc@google.com>
References: <CAHbrMsDAMsXzAhcu35_GqL54JNF2jO-HhYWEZyE2VLP=V8dN5A@mail.gmail.com> <9F0E83E0-EAB1-4508-9D55-850294204BD2@hopcount.ca> <CAHbrMsC+Et+iva-3Z1dqHn0HO_njhJT3q-gmoJcyopML_WDCWw@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.40.0.2.32)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3WXk_9Fl_7Awn5yL0fu7F4sC45U>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 21:09:55 -0000

On 6 Jan 2021, at 15:48, Ben Schwartz <bemasc@google.com> wrote:

> On Wed, Jan 6, 2021 at 3:37 PM Joe Abley <jabley@hopcount.ca <mailto:jabley@hopcount.ca>> wrote:
> On Jan 6, 2021, at 14:45, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote:
> 
> > That model works well when (a) all validators implement an algorithm you like OR (b) you view each algorithm as either "definitely strong" or "worthless" (no middle ground).
> 
> We are in scenario (b).
> 
> I think the long half-life of RSA-1024 is an example of a violation of (b).

Can you explain that in more detail?

A zone administrator today might decide that RSA with 1024 bit keys is sufficient, or that SHA-1 is reasonable.

A validator administrator might decide otherwise, and decline to gauge authenticity using those signatures.

These are both reasonable local policies. It's ok that they disagree.

> I don't think it is orthogonal.  The prevalent local validator policies change the effect that zone owner choices will have, so zone owners need to know what those policies are.

I agree it's useful to encourage local policies to be sane. I'm not sure why making the kind of change you are talking about achieves that.

It seems clear to me that changing the behaviour in validators would break some things; it's less clear that a change of the kind you suggest would make anything better. I am definitely not yet firing on all cylinders though, this year, so I am fully prepared to discover that I am missing something. :-)


Joe

v2.23.0 | Report a Bug | By Email