Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt

Tom Pusateri <pusateri@bangj.com> Tue, 19 February 2019 00:47 UTC

Return-Path: <pusateri@bangj.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E89C71310C7 for <dnsop@ietfa.amsl.com>; Mon, 18 Feb 2019 16:47:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3qZ1mM3SRyA for <dnsop@ietfa.amsl.com>; Mon, 18 Feb 2019 16:47:42 -0800 (PST)
Received: from oj.bangj.com (69-77-154-174.static.skybest.com [69.77.154.174]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50B9F130E91 for <dnsop@ietf.org>; Mon, 18 Feb 2019 16:47:41 -0800 (PST)
Received: from [172.16.10.104] (mta-107-13-246-59.nc.rr.com [107.13.246.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 58C3427D9A; Mon, 18 Feb 2019 19:47:40 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Tom Pusateri <pusateri@bangj.com>
In-Reply-To: <EEF5A840-432E-4E87-A4C6-8C44DB733BC4@isc.org>
Date: Mon, 18 Feb 2019 19:47:39 -0500
Cc: dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C890EB92-59A3-4C70-865F-1C62DEC7FE1E@bangj.com>
References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <EEF5A840-432E-4E87-A4C6-8C44DB733BC4@isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/A9vXn3nzvcb-02x9p_NOoBAr87Y>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2019 00:47:45 -0000

Mark,

> Just closing the issue isn’t addressing it.

That’s not a fair point about closing issue #19.

Your main concern was that SHA-3 algorithms might not be easily available but, luckily, they shipped with TLS 1.3 in OpenSSL 1.1.1 and so I thought #19 was a solved issue.

Regardless, sooner or later, someone will be the first to use a SHA-3 algorithm that’s better than the SHA-2 algorithms DNS uses today. It’s only a matter of time. SHA-3 has been out since 2015. As soon as you support TLS 1.3, you’ll have all the SHA-3 algorithms with a simple API call and it should be available everywhere because TLS 1.3 will be needed everywhere.

I will reopen this issue for discussion but I don’t see yet how this is a problem.

Thanks,
Tom

> On Feb 18, 2019, at 7:27 PM, Mark Andrews <marka@isc.org> wrote:
> 
> I have yet to seen a justification for using SHAKE128 vs any of the existing
> hash algorithms used in DNS.  You really need to justify this choice on security
> concerns.  DNS server implementers need to support multiple crypto backends and
> adding yet another algorithm is not as easy as just calling OpenSSL.  It’s writing /
> expanding a shim layer.  It’s checking for the existence on all the platforms
> the server is built on.  
> 
> https://github.com/pusateri/draft-pusateri-dnsop-update-timeout/issues/19
> 
>> On 19 Feb 2019, at 10:34 am, Tom Pusateri <pusateri@bangj.com> wrote:
>> 
>> DNSOP,
>> 
>> We have updated the TIMEOUT resource record draft based on the great feedback from Mark Andrews, Joe Abley, Ted Lemon, and Paul Vixie. I think we have addressed all of the comments except for the Date format concern from Mark. That is still an outstanding issue. Please comment on it if you have an opinion or feel free to open other issues against the document or send comments to the list.
>> 
>> The TIMEOUT RR is just like any other resource record now with no special handling.
>> 
>> Issues are on Github:
>> https://github.com/pusateri/draft-pusateri-dnsop-update-timeout/issues
>> 
>> Thanks,
>> Tom & Tim
>> 
>> 
>>> Begin forwarded message:
>>> 
>>> From: internet-drafts@ietf.org
>>> Subject: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt
>>> Date: February 18, 2019 at 6:26:35 PM EST
>>> To: "Tim Wattenberg" <mail@timwattenberg.de>, "Tom Pusateri" <pusateri@bangj.com>
>>> 
>>> 
>>> A new version of I-D, draft-pusateri-dnsop-update-timeout-01.txt
>>> has been successfully submitted by Tom Pusateri and posted to the
>>> IETF repository.
>>> 
>>> Name:		draft-pusateri-dnsop-update-timeout
>>> Revision:	01
>>> Title:		DNS TIMEOUT Resource Record
>>> Document date:	2019-02-18
>>> Group:		Individual Submission
>>> Pages:		13
>>> URL:            https://www.ietf.org/internet-drafts/draft-pusateri-dnsop-update-timeout-01.txt
>>> Status:         https://datatracker.ietf.org/doc/draft-pusateri-dnsop-update-timeout/
>>> Htmlized:       https://tools.ietf.org/html/draft-pusateri-dnsop-update-timeout-01
>>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-pusateri-dnsop-update-timeout
>>> Diff:           https://www.ietf.org/rfcdiff?url2=draft-pusateri-dnsop-update-timeout-01
>>> 
>>> Abstract:
>>>  This specification defines a new DNS TIMEOUT resource record (RR)
>>>  that associates a lifetime with one or more zone resource records
>>>  with the same owner name, type, and class.  It is intended to be used
>>>  to transfer resource record lifetime state between a zone's primary
>>>  and secondary servers and to store lifetime state during server
>>>  software restarts.
>>> 
>>> 
>>> 
>>> 
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>> 
>>> The IETF Secretariat
>>> 
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>