Re: [DNSOP] on staleness of code points and code (mentions MD5 commentary from IETF98)

Petr Špaček <petr.spacek@nic.cz> Tue, 28 March 2017 15:49 UTC

Return-Path: <petr.spacek@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAC81127871 for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 08:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77HnWanmbC4s for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 08:49:51 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75BC6120725 for <dnsop@ietf.org>; Tue, 28 Mar 2017 08:49:51 -0700 (PDT)
Received: from [IPv6:2001:1488:fffe:6:b883:4eff:fece:dc57] (unknown [IPv6:2001:1488:fffe:6:b883:4eff:fece:dc57]) by mail.nic.cz (Postfix) with ESMTPSA id EEFE484A7F; Tue, 28 Mar 2017 17:49:49 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1490716190; bh=D+gZ18UzyE5WkmEzaTZVvLyDKnKUGxpD9Z9G0QwIPa8=; h=To:From:Date; b=AKLZjjxXabwJRG7gY9JDkuGnukbIA4qfJJCeiZ5e/p4E7nNEIBhmw9d7VLwjPcVk3 uG8/BaH54QDJQS7LJrUFepNE4gCoIXOOq/oV5si19/GBsetFhtyNnAVe/bIIHXrmub yxg7KSPDQMbYS5EKtzRVdxlCZR3o69IKPKSMeuB0=
To: Paul Wouters <paul@nohats.ca>
References: <58D96BC0.9040701@redbarn.org> <20170328024127.GC96991@isc.org> <CAM1xaJ-gCKqm63BuNszLxyt0_HevXSwB5H0+wg4ugatZSFJNPA@mail.gmail.com> <alpine.DEB.2.11.1703281532260.13590@grey.csi.cam.ac.uk> <20170328150503.GA21064@isc.org> <c8b5b809-8e96-c45a-e693-5e6e266c5088@nic.cz> <AC7A76FA-8291-439D-9F02-709F392701CE@nohats.ca>
Cc: dnsop <dnsop@ietf.org>
From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= <petr.spacek@nic.cz>
Organization: CZ.NIC
Message-ID: <68f128cb-493e-d963-adcc-92ba64e576a5@nic.cz>
Date: Tue, 28 Mar 2017 17:49:49 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <AC7A76FA-8291-439D-9F02-709F392701CE@nohats.ca>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/56KF2mfDfQkbIB_WP8itW0zt3yQ>
Subject: Re: [DNSOP] on staleness of code points and code (mentions MD5 commentary from IETF98)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 15:49:53 -0000

On 28.3.2017 17:47, Paul Wouters wrote:
>> So again, MUST NOT is the right choice. I'm going to write tests for
>> Knot Resolver to ensure we never set AD bit for zones signed using MD5.
>> Right now.
> 
> If you want to accomplish this, why not actually follow the MUST NOT and remove MD5 support so it is treated as unsupported algorithm and also won't get an AD bit? That way your code has no MD5 specific handling.

Sure, my message did not mention any special handling at all.
The test will make sure it is removed and stays removed :-)

-- 
Petr Špaček  @  CZ.NIC