Re: [DNSOP] [Ext] Call for Adoption: draft-belyavskiy-rfc5933-bis

Paul Hoffman <> Tue, 07 July 2020 02:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 24ADC3A08ED for <>; Mon, 6 Jul 2020 19:17:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DGjq9YRCj9vf for <>; Mon, 6 Jul 2020 19:17:16 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3CB563A08EB for <>; Mon, 6 Jul 2020 19:17:16 -0700 (PDT)
Received: from ( []) by ( with ESMTPS id 0672HBCI011377 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 7 Jul 2020 02:17:12 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 6 Jul 2020 19:17:09 -0700
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1497.006; Mon, 6 Jul 2020 19:17:09 -0700
From: Paul Hoffman <>
To: Tim Wicinski <>
CC: "" <>
Thread-Topic: [DNSOP] [Ext] Call for Adoption: draft-belyavskiy-rfc5933-bis
Date: Tue, 7 Jul 2020 02:17:09 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_09BCF0D5-4518-4D9B-B9FD-13935249A88A"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-07_01:2020-07-06, 2020-07-06 signatures=0
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-belyavskiy-rfc5933-bis
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Jul 2020 02:17:18 -0000

On Jul 6, 2020, at 6:07 PM, Tim Wicinski <> wrote:
> All
> I've been going over the CfA comments, and discussing this with my chairs and Warren, and 
> perhaps the best way to walk through the logic in our decision is to work backwards.
> The authors are requesting a code point for their algorithm in this IANA registry:
> To receive such a code point a "Standards Action", which is defined as:
>     For the Standards Action policy, values are assigned only through
>     Standards Track or Best Current Practice RFCs in the IETF Stream.
> Which means that 1) Informational will not work; and 2) Independent Stream will not work.
> In the excellent discussion on this, what seems to be the underlying consensus is 
> the need to publish the document to establish the code point, and document it as such.

So far, so good.

> To not adopt this means, the implementers could easily pick their own 

This seems unlikely. If they step on unallocated code points, few implementers will go along with that because implementers generally respect the IETF and IANA more than they respect a country's crypto regime.

If we fix the registries in question to not require standards-track RFCs, then we don't need to adopt this document: the authors could publish them through the ISE.

> There was also discussion on updating the table in []
> (implementation recommendations for DNSKEY algorithms), and here seemed to be some consensus around MAY

Yes, great.

> There was also an orthogonal discussion around changing the registry from "Standards Action"
> to "RFC Required".  

That was not orthogonal at all. It was directly intended to allow the WG to not adopt this document and yet allow the authors to get what they want, which are IANA code point allocations that implementers can then find the relevant documents for.

It feels weird for the DNSOP WG to recommend to the IETF that it publish a standards-track document that virtually no one in the WG understands. The DNSOP WG could use the same pattern as other IETF WGs (TLS, SMIME, IPsec, ...) for the past 25+ years.

And, before anyone says "but we'll run out of code points!", please take a look at how small the registries are for those other crypto protocols. There are a handful of countries with their own crypto, but the number is surprisingly low.

> While this seems to be a simple procedural move, I fear that doing
> so haphazardly without understanding the operational considerations is completely 
> wrong (Remember, We are DNS OPerations)

I'm not seeing how following what the other WGs have been doing for decades as "haphazard".

> Mr. Wouters made the very correct comment that "no one outside the IETF really knows the difference for RFCs anyway."
> This was something I was reminded of all too well during the DNS RPZ discussions. 

This document is not for people outside the IETF: it's for implementers. They do indeed consider standards-track RFCs different than informational RFCs. That is why we had to create RFC 8624.

> Summary:  Adopt as Standards Track because we have to add text to the state as such.  We will not spend a lot
> of WG time on this document, and Warren and I will end up doing the heavy lifting on all the process portions.

That feels exactly wrong. "We didn't really read this draft, but we want you to make it an IETF standard". My counter-proposal was "we made it easier for folks with national algorithms to get their code points without having to deal with the WG process".

--Paul Hoffman