IETF Logo Mail Archive

Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec

Matthijs Mekking <matthijs@pletterpet.nl> Tue, 21 January 2020 17:20 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0B871208F4; Tue, 21 Jan 2020 09:20:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.595
X-Spam-Level:
X-Spam-Status: No, score=-2.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6B1XnkCAD2Tg; Tue, 21 Jan 2020 09:20:12 -0800 (PST)
Received: from lb2-smtp-cloud9.xs4all.net (lb2-smtp-cloud9.xs4all.net [194.109.24.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A66E1208FA; Tue, 21 Jan 2020 09:20:04 -0800 (PST)
Received: from [IPv6:2001:980:4eb1:1:9c53:e3d5:f2c0:b51a] ([IPv6:2001:980:4eb1:1:9c53:e3d5:f2c0:b51a]) by smtp-cloud9.xs4all.net with ESMTPSA id txC1inXuVT6sRtxC3ireI5; Tue, 21 Jan 2020 18:19:59 +0100
To: Tony Finch <dot@dotat.at>
Cc: draft-ietf-dnsop-multi-provider-dnssec@ietf.org, "dnsop@ietf.org WG" <dnsop@ietf.org>
References: <CAHw9_iLFuSbdA2TFS4Qd2dAzDFJyJgfQGY1+T2c2JQZ3WTat_A@mail.gmail.com> <CAHPuVdUUeLx59B0SrzmFazd_rqUm1kU-ARG-LBEYa4jFQyaH3Q@mail.gmail.com> <3fb01cba-9558-531c-5764-9c34b111545b@pletterpet.nl> <CAHPuVdWNAJbGm=j96149Sb9gig1QuAyCXyVbsZY0BzhpP_DV3g@mail.gmail.com> <8af57aeb-66c5-fbb8-b62f-890a82c9d94e@pletterpet.nl> <alpine.DEB.2.20.2001211648180.7252@grey.csi.cam.ac.uk>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <059e722c-7144-66d9-be88-a3377c69a601@pletterpet.nl>
Date: Tue, 21 Jan 2020 18:19:57 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.20.2001211648180.7252@grey.csi.cam.ac.uk>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfGSIslbKel6cgLz2gaoXQzT3XRgMKZ/b3hXcvfV129VbdL/EseZAS6fZhpuayqY9baphHwu7hv33aAXyzINFuthMLq89nWTOIxiUMQ2uoJbvxhlHlsMi BKjdbsY0OXifXarCWSLM+w5pAbk/PYGFOXlcQGc2T0CS4lUcw03YBg72VMZ5TQ3u+w4cMB8qwYqwv/+/+UoQAoBzUhEWg84vDmzcVh9oCUVhkum4w874F/LT kA+XYBEU8vy/BQBNcDB+hp2YQFuUwxiIxOlN5u8RZLZMXlvNtXxX85maVvGeqiNCYK2ZN6CiD6z+bexEGfRZm3barGES+bDJ8NEYay2JtNL+Y36jgWqR7bG7 PiNtT194
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8hLORo4upsg1JUNYLskTuw8qTR0>
Subject: Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 17:20:20 -0000


On 1/21/20 6:03 PM, Tony Finch wrote:
> Matthijs Mekking <matthijs@pletterpet.nl> wrote:
> 
>> I am not sure how they executed the algorithm rollover precisely.
>> Particularly, were there ever two DS records in the root zone with
>> different algorithms for these zones?
> 
> I can answer that :-)
> 
> Algorithm rollovers have to be double-KSK rollovers because DS records
> have to have a subset of the algorithms of the DNSKEY records. Having both
> algorithms in the DS record can only slow down the rollover so it's hard
> to think of situations where it would make sense (other than Shumon's
> multi-provider disagreement!)

As I suspected, in that case they were never candidate for the multiple
algorithms check.

v2.23.0 | Report a Bug | By Email