Re: [DNSOP] [Ext] Post quantum DNSSEC ?

Paul Hoffman <paul.hoffman@icann.org> Tue, 15 October 2019 21:04 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44CA71200CC for <dnsop@ietfa.amsl.com>; Tue, 15 Oct 2019 14:04:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ylTVGZRupLuu for <dnsop@ietfa.amsl.com>; Tue, 15 Oct 2019 14:04:29 -0700 (PDT)
Received: from ppa5.dc.icann.org (ppa5.dc.icann.org [192.0.46.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F77C12081E for <dnsop@ietf.org>; Tue, 15 Oct 2019 14:04:29 -0700 (PDT)
Received: from PFE112-CA-1.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) by ppa5.dc.icann.org (8.16.0.27/8.16.0.27) with ESMTPS id x9FL4RSK012557 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <dnsop@ietf.org>; Tue, 15 Oct 2019 21:04:28 GMT
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 15 Oct 2019 14:04:26 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1497.000; Tue, 15 Oct 2019 14:04:26 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] Post quantum DNSSEC ?
Thread-Index: AQHVg4xkrVmS16yvcUKtZ2cVhGXdVadcpsMA
Date: Tue, 15 Oct 2019 21:04:25 +0000
Message-ID: <2bcc20b2-9de0-a808-4e2c-054ff48f35fb@icann.org>
References: <alpine.OSX.2.21.99999.368.1910151455580.75899@ary.local>
In-Reply-To: <alpine.OSX.2.21.99999.368.1910151455580.75899@ary.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.1.2
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: text/plain; charset="utf-8"
Content-ID: <B614295491D54142BC910FC35F3F5209@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-15_08:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3e0WHjvtzgULQeATWa42_eFmSjg>
Subject: Re: [DNSOP] [Ext] Post quantum DNSSEC ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 21:04:40 -0000

On 10/15/19 12:11 PM, John R Levine wrote:
> I just heard a most interesting talk at M3AAWG about postquantum crypto and particularly about the NIST candidate algorithms.  Many of them have much larger key or signature sizes than any current algorithm, like 10,000 bits or more.  Some are a lot slower than others.  Has anyone been looking at how these algorithms would or would not work with DNSSEC?  

Yes. (More specifically: https://datatracker.ietf.org/doc/draft-hoffman-c2pq/, which is very casually being worked on in the CFRG.)

Or, define "work with". Falling back to TCP for getting DNSKEY records might not be a big deal.

Or, maybe wait until NIST has gotten more through the process, given that key size and signature size are among the many factors they are considering.

> NIST is accepting comments and the talk said they particularly want comments from industry on how this would affect existing applications.
> 
> I can imagine ways to make things work, e.g, hashes in some places rather than signatures, but I don't understand DNSSEC in enough detail to figure out what's a show stopper.

Or when the show stops. Or what to do if there are multiple selected algorithms with different features (speed, size of signatures, speed of signing, ...)

--Paul Hoffman