Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt

Mark Andrews <marka@isc.org> Tue, 19 February 2019 01:28 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AAC91200D7 for <dnsop@ietfa.amsl.com>; Mon, 18 Feb 2019 17:28:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPlTzMKEjmL0 for <dnsop@ietfa.amsl.com>; Mon, 18 Feb 2019 17:28:12 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB4E0129619 for <dnsop@ietf.org>; Mon, 18 Feb 2019 17:28:12 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 0DE803AB03C; Tue, 19 Feb 2019 01:28:12 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id BFDA3160048; Tue, 19 Feb 2019 01:28:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A36A5160066; Tue, 19 Feb 2019 01:28:11 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id gh_XQqy97liA; Tue, 19 Feb 2019 01:28:11 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id C2DB3160048; Tue, 19 Feb 2019 01:28:10 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <C890EB92-59A3-4C70-865F-1C62DEC7FE1E@bangj.com>
Date: Tue, 19 Feb 2019 12:28:08 +1100
Cc: dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <205A5BE4-C2B0-4314-B83C-B90D05766C3E@isc.org>
References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <EEF5A840-432E-4E87-A4C6-8C44DB733BC4@isc.org> <C890EB92-59A3-4C70-865F-1C62DEC7FE1E@bangj.com>
To: Tom Pusateri <pusateri@bangj.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7XtHGUmDCbasASQR1vRpchik-iQ>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2019 01:28:15 -0000


> On 19 Feb 2019, at 11:47 am, Tom Pusateri <pusateri@bangj.com> wrote:
> 
> Mark,
> 
>> Just closing the issue isn’t addressing it.
> 
> That’s not a fair point about closing issue #19.
> 
> Your main concern was that SHA-3 algorithms might not be easily available but, luckily, they shipped with TLS 1.3 in OpenSSL 1.1.1 and so I thought #19 was a solved issue.
> 
> Regardless, sooner or later, someone will be the first to use a SHA-3 algorithm that’s better than the SHA-2 algorithms DNS uses today. It’s only a matter of time. SHA-3 has been out since 2015. As soon as you support TLS 1.3, you’ll have all the SHA-3 algorithms with a simple API call and it should be available everywhere because TLS 1.3 will be needed everywhere.

Where is the need to use SHA-3?  This is introducing a new algorithm for the sake of
introducing a new algorithm.  Just because TLS 1.3 uses SHAKE128 is not a reason for
DNS to use SHAKE128.  There are plenty of platforms that don’t need to use TLS at
all.  They don’t have web interfaces.  Transaction security is provided by something
other than TLS.

There are also lots of old server platforms that just won’t ever upgrade their OpenSSL
package.  Adding SHA-3 creates yet another dependancy / impediment-to upgrading the DNS
server.

And before someone mentions DoT and DoH. DoT/DoH have their uses but not everywhere
needs to use DoT/DoH.  DoT/DoH adds baggage which isn’t always justified.

Mark

> I will reopen this issue for discussion but I don’t see yet how this is a problem.
> 
> Thanks,
> Tom
> 
>> On Feb 18, 2019, at 7:27 PM, Mark Andrews <marka@isc.org> wrote:
>> 
>> I have yet to seen a justification for using SHAKE128 vs any of the existing
>> hash algorithms used in DNS.  You really need to justify this choice on security
>> concerns.  DNS server implementers need to support multiple crypto backends and
>> adding yet another algorithm is not as easy as just calling OpenSSL.  It’s writing /
>> expanding a shim layer.  It’s checking for the existence on all the platforms
>> the server is built on.  
>> 
>> https://github.com/pusateri/draft-pusateri-dnsop-update-timeout/issues/19
>> 
>>> On 19 Feb 2019, at 10:34 am, Tom Pusateri <pusateri@bangj.com> wrote:
>>> 
>>> DNSOP,
>>> 
>>> We have updated the TIMEOUT resource record draft based on the great feedback from Mark Andrews, Joe Abley, Ted Lemon, and Paul Vixie. I think we have addressed all of the comments except for the Date format concern from Mark. That is still an outstanding issue. Please comment on it if you have an opinion or feel free to open other issues against the document or send comments to the list.
>>> 
>>> The TIMEOUT RR is just like any other resource record now with no special handling.
>>> 
>>> Issues are on Github:
>>> https://github.com/pusateri/draft-pusateri-dnsop-update-timeout/issues
>>> 
>>> Thanks,
>>> Tom & Tim
>>> 
>>> 
>>>> Begin forwarded message:
>>>> 
>>>> From: internet-drafts@ietf.org
>>>> Subject: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt
>>>> Date: February 18, 2019 at 6:26:35 PM EST
>>>> To: "Tim Wattenberg" <mail@timwattenberg.de>, "Tom Pusateri" <pusateri@bangj.com>
>>>> 
>>>> 
>>>> A new version of I-D, draft-pusateri-dnsop-update-timeout-01.txt
>>>> has been successfully submitted by Tom Pusateri and posted to the
>>>> IETF repository.
>>>> 
>>>> Name:		draft-pusateri-dnsop-update-timeout
>>>> Revision:	01
>>>> Title:		DNS TIMEOUT Resource Record
>>>> Document date:	2019-02-18
>>>> Group:		Individual Submission
>>>> Pages:		13
>>>> URL:            https://www.ietf.org/internet-drafts/draft-pusateri-dnsop-update-timeout-01.txt
>>>> Status:         https://datatracker.ietf.org/doc/draft-pusateri-dnsop-update-timeout/
>>>> Htmlized:       https://tools.ietf.org/html/draft-pusateri-dnsop-update-timeout-01
>>>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-pusateri-dnsop-update-timeout
>>>> Diff:           https://www.ietf.org/rfcdiff?url2=draft-pusateri-dnsop-update-timeout-01
>>>> 
>>>> Abstract:
>>>> This specification defines a new DNS TIMEOUT resource record (RR)
>>>> that associates a lifetime with one or more zone resource records
>>>> with the same owner name, type, and class.  It is intended to be used
>>>> to transfer resource record lifetime state between a zone's primary
>>>> and secondary servers and to store lifetime state during server
>>>> software restarts.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> Please note that it may take a couple of minutes from the time of submission
>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>> 
>>>> The IETF Secretariat
>>>> 
>>> 
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>> 
>> -- 
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>> 
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org