IETF Logo Mail Archive

[DNSOP] Re: [Ext] New draft on collision free key tags in DNSSEC

Olafur Gudmundsson <ogud@ogud.com> Mon, 29 July 2024 16:03 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64172C169403 for <dnsop@ietfa.amsl.com>; Mon, 29 Jul 2024 09:03:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I84aguVS-ANO for <dnsop@ietfa.amsl.com>; Mon, 29 Jul 2024 09:03:26 -0700 (PDT)
Received: from smtp88.iad3a.emailsrvr.com (smtp88.iad3a.emailsrvr.com [173.203.187.88]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32DB2C1388B7 for <dnsop@ietf.org>; Mon, 29 Jul 2024 09:03:26 -0700 (PDT)
X-Auth-ID: ogud@ogud.com
Received: by smtp36.relay.iad3a.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id F019553E4; Mon, 29 Jul 2024 12:03:24 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <C9A1D9BF-30C7-4507-BC49-9B772B4ACB6B@nohats.ca>
Date: Mon, 29 Jul 2024 12:03:20 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <3A9D3208-D05C-45BE-BC87-AC2506FAC182@ogud.com>
References: <3DA28E74-88A9-4EDB-84D3-F862272072AF@isc.org> <C9A1D9BF-30C7-4507-BC49-9B772B4ACB6B@nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3774.600.62)
X-Classification-ID: 758b12fa-0694-4000-aa48-a5ec4ce12392-1-1
Message-ID-Hash: KFSAHC4GIU2F7DQOZPOPXA2HTLQ7ISI3
X-Message-ID-Hash: KFSAHC4GIU2F7DQOZPOPXA2HTLQ7ISI3
X-MailFrom: ogud@ogud.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John R Levine <johnl@taugh.com>, dnsop <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@icann.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] New draft on collision free key tags in DNSSEC
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5_zvigtmi2yov2bXQdQoO9jSBJw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


> On Jul 26, 2024, at 20:02, Paul Wouters <paul@nohats.ca> wrote:
> 
> 
> 
>> On Jul 26, 2024, at 16:08, Mark Andrews <marka@isc.org> wrote:
>> 
>> 
>> Even if we where to go with one failure is allowed we still need to
>> write down the new rules and there will be complaints that we are
>> retrospectively changing the rules.  This is grand fathering in the
>> old rules for the old algorithms.
> 
> Write a BCP, not a standard disallowing key id clashes.
> 
> Paul
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

+1 to that 
Most of the problems that resolvers have, are direct result of “bad practices” by zone publishers, stop putting more rules on resolvers and give them “fig leafs” to reject early. 
 
In this case the only real solution at protocol level is to say “Zone with alg+keyTag collision SHOULD/MUST be treated as BOGUS. 

Grumpy

v2.35.0 | Report a Bug | By Email | System Status