Re: [DNSOP] [Ext] DNSSEC Strict Mode
Ben Schwartz <bemasc@google.com> Thu, 25 February 2021 16:06 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3DD03A1B94 for <dnsop@ietfa.amsl.com>; Thu, 25 Feb 2021 08:06:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yScqPiBo15Km for <dnsop@ietfa.amsl.com>; Thu, 25 Feb 2021 08:06:31 -0800 (PST)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 545443A1B88 for <dnsop@ietf.org>; Thu, 25 Feb 2021 08:06:31 -0800 (PST)
Received: by mail-io1-xd2f.google.com with SMTP id p16so6403521ioj.4 for <dnsop@ietf.org>; Thu, 25 Feb 2021 08:06:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dMwe3fskeq7VSVAx6++5bChH+gEDOAPoomWitftmK1w=; b=exOQ3O1z0WqXzqfD5DdxFzKEhfnJJTK+8KqxIqq4am8e5v7bYvW4BNVMLIb32FFNeq qtUehJ/v25KQ2Jg0NotAve3ZtQ949WHb6tOwJ+R3Q3/eSg/h53Q7dE5m7rkCpsz6jy9S KlpUwyRizW6EEKbb5zG6qKsf8Jf7W8W34GZGQl+N+xvLuqbUGHJxCVjOKFmv5Q/Az/VX bZJCEpt3tJPnYvrs/H2SecOZ745sPfP1CS8zS4x4IdvukHfdJ4360Lj1wUrYHK58uWsS E6O65UCx5ZbjoleWwhXFVBtHU/xKLtl93ga+W+I58v8o2wOCZC90i1lPa4FPr/batywO Et3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dMwe3fskeq7VSVAx6++5bChH+gEDOAPoomWitftmK1w=; b=nSDinEgIPLW+s4u0KyS/bFUFf7osA54V4aUzhHMn/s47GC5dmDW5kCojlwjqUwQok9 TlEq3t/B0nA6Gv4ji3zDFaqEQNpEd0PEhypoMIKop/nHGarFraGEdChnxpjLGUKDPa/p 3Scc1y1iaR/CeATAp+h62IfTjvtT45hOS4xDlo3Yt3crJJDOtspYnFwFAlaN4L2Idu4b tt7F/+ua9u4fDdlfjGh6el3VcPqVUD4MsLSpSpD0uNdL7BJijNRf2SRNU2kHDOkSKvu4 wyaLgre72POtKVN2zihDtDEmo1G1hew0E7A0NP27YbQSV/FZwb6U0jxDyF2pHUwQUGU5 6X6Q==
X-Gm-Message-State: AOAM531G7f//PzYoGtLQuJZS9u/gLUMzHZ2M+LgR4TrVfRH/S24ILMam ACo0D9b5cf1wxGDE4fNnJ2C3YkHNDuHhV+taRlvW4pOElKg=
X-Google-Smtp-Source: ABdhPJzknUHOIGKCPaXNxx/DmXiBvZwZfZJi+qjA+WVvIWqFMmdPmDiqrsVaYvR+3RIHhdbIkYpugKBQ90ExVTUZRFM=
X-Received: by 2002:a02:c77b:: with SMTP id k27mr3846693jao.13.1614269190445; Thu, 25 Feb 2021 08:06:30 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <B2CF080D-7513-4414-9316-9999AF441F43@icann.org>
In-Reply-To: <B2CF080D-7513-4414-9316-9999AF441F43@icann.org>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 25 Feb 2021 11:06:19 -0500
Message-ID: <CAHbrMsAdbn85AUCY9Yr6XXU-6Ti4dKwR1=zncGj4z-SjznAF3w@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000b190e505bc2b5560"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3n6SnN3ZUOYDGZEyfpc3oS9T8zo>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 16:06:33 -0000
On Thu, Feb 25, 2021 at 10:26 AM Paul Hoffman <paul.hoffman@icann.org> wrote: > In reading draft-schwartz-dnsop-dnssec-strict-mode, I still don't > understand why it is even useful. If I am signing one of my zones with two > algorithms, I must intend to do so. What is the value of me saying that > only one of the signing algorithms is the strong one? > That's not especially the intent. Currently, if you sign with two algorithms, and either of those algorithms becomes insecure*, your zone becomes susceptible to forgery. If you mark both algorithms as Strict, then your zone remains secure (for validators who implement both algorithms and this draft). Marking only one algorithm as Strict is necessary during certain transitions but is not otherwise very useful. *possibly unbeknownst to the public
- [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode Petr Špaček
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] DNSSEC Strict Mode Ralf Weber
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Wes Hardaker
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Bob Harold
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- [DNSOP] Fwd: [Ext] DNSSEC Strict Mode Ulrich Wisser
- [DNSOP] signalling mandatory DNSSEC in the parent… Jim Reid
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Paul Wouters
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Havard Eidnes
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser