[DNSOP] The past ... Re: [Ext] About key tags
Edward Lewis <edward.lewis@icann.org> Fri, 01 March 2024 19:04 UTC
Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C10C14F616 for <dnsop@ietfa.amsl.com>; Fri, 1 Mar 2024 11:04:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f2c01rF9ZhES for <dnsop@ietfa.amsl.com>; Fri, 1 Mar 2024 11:04:24 -0800 (PST)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67FD9C14F5E2 for <dnsop@ietf.org>; Fri, 1 Mar 2024 11:04:24 -0800 (PST)
Received: from MBX112-E2-VA-1.pexch112.icann.org (out.mail.icann.org [64.78.48.205]) by ppa4.dc.icann.org (8.17.1.24/8.17.1.24) with ESMTPS id 421J4CPC012063 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 1 Mar 2024 11:04:12 -0800
Received: from MBX112-E2-VA-1.pexch112.icann.org (10.217.41.128) by MBX112-E2-VA-1.pexch112.icann.org (10.217.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Fri, 1 Mar 2024 14:04:22 -0500
Received: from MBX112-E2-VA-1.pexch112.icann.org ([10.217.41.128]) by MBX112-E2-VA-1.pexch112.icann.org ([10.217.41.128]) with mapi id 15.02.1258.028; Fri, 1 Mar 2024 14:04:22 -0500
From: Edward Lewis <edward.lewis@icann.org>
To: Joe Abley <jabley@strandkip.nl>, Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
CC: "dnsop@ietf.org" <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>
Thread-Topic: The past ... Re: [DNSOP] [Ext] About key tags
Thread-Index: AQHabAtF9ygRGRY5H0ipe/gQkoq8dQ==
Date: Fri, 01 Mar 2024 19:04:22 +0000
Message-ID: <5E34D1B5-554F-4138-B2A9-5E6110803B15@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.65.22091101
x-originating-ip: [192.0.47.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <F9C3153769252445B302A8D44EC2316D@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-01_20,2024-03-01_03,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8qMfpWdeIfFxR470WJxemsuuI1M>
Subject: [DNSOP] The past ... Re: [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2024 19:04:26 -0000
On 3/1/24, 10:52, "DNSOP on behalf of Joe Abley" <dnsop-bounces@ietf.org on behalf of jabley@strandkip.nl> wrote: >It's a shame that the design of keytags didn't anticipate a need for algorithm agility. I imagine that this was said with one of Joe's famous chuckles...but...yeah, there's a lot of places we didn't anticipate wisely... There's a lot we could have done differently, but at the time it wasn't apparent. When I raised this topic, my goal was to note that we should try to recreate key tags in any potential future design, such as might be enabled by DELEG. I didn't intend to say that we ought to erase key tags from use today. We have a choice to "just live with it" or "try to fix it" and we usually choose the former for the sake of expediency. Continuing to do that will eventually get us to a collapse, I fear. Maybe not when any of us are still working (to use a tired old phrase), but at some time. I've been toying with some other, not yet documented, idea related to DNSSEC, where I concluded that including the entire key was better than either a key tag or even a hash, due to the long-term nature of the records. E.g., if I have a key and I publish only its SHA-256 hash now and then later only a SHA-384 hash, how would you know it’s the same key if the key hasn't been published anywhere? In that case, I need to make the key known in its entirety. After the key tag thread began to rage, I had another thought, which would be to store DNSKEY resource records with owner names being <key_tag>.<zone_name>, which would make it easier to see the collisions. Like: 12345.example.com. DNSKEY ....something.... 23456.example.com. DNSKEY ....something.... It would also enable querying for just the key(s-if collision) needed. But this wouldn't make it easy to see if some key in the set had some special DELEG bit and it would cause problems for Automated Updates (which discovers new trust anchors via a time begun upon first sight). And of course, storing keys this way would be a major protocol overhaul. It's just a thought - and discounts some of the meanings we've overlayed on the DNSKEY resource record set as time has progressed.
- [DNSOP] The past ... Re: [Ext] About key tags Edward Lewis