Re: [DNSOP] [Ext] DNSSEC Strict Mode

Ben Schwartz <> Fri, 26 February 2021 19:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BDEEE3A1647 for <>; Fri, 26 Feb 2021 11:59:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pTYmebFHVA9j for <>; Fri, 26 Feb 2021 11:59:10 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0E1C73A1629 for <>; Fri, 26 Feb 2021 11:59:10 -0800 (PST)
Received: by with SMTP id i9so7993029wml.0 for <>; Fri, 26 Feb 2021 11:59:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=p1C0ME8zr/bSnaCIrMR0IR54cF+VXV5oWKMeePnaehU=; b=AdzcjPlXCEbleERzh38tWPKKMb6leEO9q2iARczF7xOeuTmfHboWt4fgxieDFg3qCY sqYQzKNM4fofari4QPLmu57xQGoz/bBk6gHSENgMexJM7sHQ6JvGxjgiJKbtU6j9E/xI iu1iMqkSH+SKyBaaVfXfDewuPatQB3S/e+0zU+fcL5ilHXU56zpYi0plRBZmViOOEM4J Eyzv38TQ/IviefPRpjzLKcoJbFN8S9UYJdBM+FUgLVoFxT15wlrWmF3KMfe3DB1QxuMa 1XPoBFvJfFnpbZ4UhcVuhq1ZtWoZMliOlwOVszq6athDq8XlGv3Vo6HL6gnKNj9+V+EN xg1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=p1C0ME8zr/bSnaCIrMR0IR54cF+VXV5oWKMeePnaehU=; b=SefUpbdWgKexJTFIr+2EFqmhK/o+ASZSAAj7wTJiTBqlOcWHesKoZ9WmYl42jcUxW1 8rAdDtzoFBE5e6Rw+vpaDBEN6/O/OvUQseQUvS5rCGZkD/ldOSQTbYKK6816yPT/e5Wn IKEpUZq9bD+mMe+r2V0b2iMo6vYwK/kULNj7d9Yyp+tUo7q6U7DLU02Q070T7hogF9Ek p4gSqawTXrxj12vbSXjXFIzmECxtxFqzD7qyooOF5FCqcvvGP8OS1H4bnYTYqKgaKpiv x90o3ma2LvLHRHRfaiGJOivtBThDwddPRHGt9jqnzv1cK3Dnm+JVuUDPk/nyDotbcw+h 7rwA==
X-Gm-Message-State: AOAM533oqQISIllnBuLGM1T6bbpdaoBmVDaa5c7nxDuqUWDl9QsEO9uH MXMI5bqieJxT4PulyQxp5xjhpNB3h1ghIIYCWMkvK8AJHyyOqIaP
X-Google-Smtp-Source: ABdhPJxJH3WXc/ojM+XXNI8bcrM4rKJF3+nJBvymXE9t49V5pgKTGOLCYgjE+LmWaYGHz0vuTfBmOWCAB8PA5fmjGxw=
X-Received: by 2002:a7b:c8cc:: with SMTP id f12mr4368068wml.1.1614369547757; Fri, 26 Feb 2021 11:59:07 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: Ben Schwartz <>
Date: Fri, 26 Feb 2021 14:58:53 -0500
Message-ID: <>
To: dnsop <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="00000000000072a87405bc42b31b"
Archived-At: <>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Feb 2021 19:59:12 -0000


I think your analysis of the problems of current deployment are convincing
and useful.  Thanks!

> Improving practices in this space will do a lot more to improve
> DNSSEC security than downgrade-resistant key algorithm signalling.

I agree.  The Strict Mode draft is, in a sense, based on the pessimistic
assumption that we won't be able to sufficiently improve these practices,
so we'll need to be able to tolerate second-rate signature algorithms.
That could be because of outdated clients, postquantum concerns, or
conflicting national crypto requirements.  Also, the bar will be higher if
we believe that DNSSEC is not only for partial defense and special uses,
but a global security layer on par with HTTPS.

It's clear that the working group is not convinced.  That's fine!  As long
as everyone is aware of the challenge, we can revive this approach if it
becomes necessary.