IETF Logo Mail Archive

Re: [DNSOP] [Ext] DNSSEC Strict Mode

Ben Schwartz <bemasc@google.com> Thu, 25 February 2021 16:06 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3DD03A1B94 for <dnsop@ietfa.amsl.com>; Thu, 25 Feb 2021 08:06:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yScqPiBo15Km for <dnsop@ietfa.amsl.com>; Thu, 25 Feb 2021 08:06:31 -0800 (PST)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 545443A1B88 for <dnsop@ietf.org>; Thu, 25 Feb 2021 08:06:31 -0800 (PST)
Received: by mail-io1-xd2f.google.com with SMTP id p16so6403521ioj.4 for <dnsop@ietf.org>; Thu, 25 Feb 2021 08:06:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dMwe3fskeq7VSVAx6++5bChH+gEDOAPoomWitftmK1w=; b=exOQ3O1z0WqXzqfD5DdxFzKEhfnJJTK+8KqxIqq4am8e5v7bYvW4BNVMLIb32FFNeq qtUehJ/v25KQ2Jg0NotAve3ZtQ949WHb6tOwJ+R3Q3/eSg/h53Q7dE5m7rkCpsz6jy9S KlpUwyRizW6EEKbb5zG6qKsf8Jf7W8W34GZGQl+N+xvLuqbUGHJxCVjOKFmv5Q/Az/VX bZJCEpt3tJPnYvrs/H2SecOZ745sPfP1CS8zS4x4IdvukHfdJ4360Lj1wUrYHK58uWsS E6O65UCx5ZbjoleWwhXFVBtHU/xKLtl93ga+W+I58v8o2wOCZC90i1lPa4FPr/batywO Et3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dMwe3fskeq7VSVAx6++5bChH+gEDOAPoomWitftmK1w=; b=nSDinEgIPLW+s4u0KyS/bFUFf7osA54V4aUzhHMn/s47GC5dmDW5kCojlwjqUwQok9 TlEq3t/B0nA6Gv4ji3zDFaqEQNpEd0PEhypoMIKop/nHGarFraGEdChnxpjLGUKDPa/p 3Scc1y1iaR/CeATAp+h62IfTjvtT45hOS4xDlo3Yt3crJJDOtspYnFwFAlaN4L2Idu4b tt7F/+ua9u4fDdlfjGh6el3VcPqVUD4MsLSpSpD0uNdL7BJijNRf2SRNU2kHDOkSKvu4 wyaLgre72POtKVN2zihDtDEmo1G1hew0E7A0NP27YbQSV/FZwb6U0jxDyF2pHUwQUGU5 6X6Q==
X-Gm-Message-State: AOAM531G7f//PzYoGtLQuJZS9u/gLUMzHZ2M+LgR4TrVfRH/S24ILMam ACo0D9b5cf1wxGDE4fNnJ2C3YkHNDuHhV+taRlvW4pOElKg=
X-Google-Smtp-Source: ABdhPJzknUHOIGKCPaXNxx/DmXiBvZwZfZJi+qjA+WVvIWqFMmdPmDiqrsVaYvR+3RIHhdbIkYpugKBQ90ExVTUZRFM=
X-Received: by 2002:a02:c77b:: with SMTP id k27mr3846693jao.13.1614269190445; Thu, 25 Feb 2021 08:06:30 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <B2CF080D-7513-4414-9316-9999AF441F43@icann.org>
In-Reply-To: <B2CF080D-7513-4414-9316-9999AF441F43@icann.org>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 25 Feb 2021 11:06:19 -0500
Message-ID: <CAHbrMsAdbn85AUCY9Yr6XXU-6Ti4dKwR1=zncGj4z-SjznAF3w@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000b190e505bc2b5560"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3n6SnN3ZUOYDGZEyfpc3oS9T8zo>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 16:06:33 -0000

On Thu, Feb 25, 2021 at 10:26 AM Paul Hoffman <paul.hoffman@icann.org>
wrote:

> In reading draft-schwartz-dnsop-dnssec-strict-mode, I still don't
> understand why it is even useful. If I am signing one of my zones with two
> algorithms, I must intend to do so. What is the value of me saying that
> only one of the signing algorithms is the strong one?
>

That's not especially the intent.  Currently, if you sign with two
algorithms, and either of those algorithms becomes insecure*, your zone
becomes susceptible to forgery.  If you mark both algorithms as Strict,
then your zone remains secure (for validators who implement both algorithms
and this draft).

Marking only one algorithm as Strict is necessary during certain
transitions but is not otherwise very useful.

*possibly unbeknownst to the public

v2.23.0 | Report a Bug | By Email