Re: [DNSOP] [Ext] New Version Notification for draft-fanf-dnsop-sha-ll-not-00.txt (fwd)
John Levine <johnl@taugh.com> Wed, 11 March 2020 23:31 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D47E3A0B75 for <dnsop@ietfa.amsl.com>; Wed, 11 Mar 2020 16:31:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=ammGajPJ; dkim=pass (1536-bit key) header.d=taugh.com header.b=TmXHsm0m
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UokluWUSl9IW for <dnsop@ietfa.amsl.com>; Wed, 11 Mar 2020 16:31:16 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3E523A0ADE for <dnsop@ietf.org>; Wed, 11 Mar 2020 16:31:06 -0700 (PDT)
Received: (qmail 55524 invoked from network); 11 Mar 2020 23:31:05 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding;s=d8e2.5e6974b9.k2003; bh=Lv6RwpSMmJhOOg6hxCSuerE0sRqP92PjPdrfZRMkh54=; b=ammGajPJGqEufUUynn79pv8Q01/SLwAwRjrs7AFUkuBXTGgKB11auv4LBg0PvoBDWLc7JHuBYwLCwAgdwuUYWS/L9A2Qw1sl6TruxT4tPhthRUD0PJZa70v0o6JpfBbDDgvbrCiV+IMdqj6G3mYip9cUiHx1WYXyy86EUEqW1EqTcqQXAn05zMr7JNdjhddbQRTRwpXZ3MBVtsLgp9xiuZnoCQXzOFiaYqX/olFb2MN942jWbtT3gfCrLwhoLMHn
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding;s=d8e2.5e6974b9.k2003; bh=Lv6RwpSMmJhOOg6hxCSuerE0sRqP92PjPdrfZRMkh54=; b=TmXHsm0mDsM5f8owTEh9n88CcYi4VDiFMwSoT7zsqcbO4B0K8ovLgG22tPHeTw+872O53Zo1NTD40rN6saCjp6dK2los5EuZfzQMU6dZbvwtN1r7Z8uGCJg3A575Fy4NfzP/90t0mO4dMtk4YInmxPPzSHYxotecc0RAwfzKQmao0hbAdg8+6gaGIEpawu9P/mBGYVPSDy7aMyMiSmJ/1yiTO3SUq2f1DEIxImhaTeRobKrAru6F+4Yi/kNyAyBE
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 11 Mar 2020 23:31:05 -0000
Received: by ary.qy (Postfix, from userid 501) id EC56415BAE43; Wed, 11 Mar 2020 19:31:04 -0400 (EDT)
Date: Wed, 11 Mar 2020 19:31:04 -0400
Message-Id: <20200311233104.EC56415BAE43@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: paul.hoffman@icann.org
In-Reply-To: <2914DB1A-F7A3-4F1B-A2F0-DA054B4473C4@icann.org>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AULzod6VJSj0ex7wCUPugGhowpY>
Subject: Re: [DNSOP] [Ext] New Version Notification for draft-fanf-dnsop-sha-ll-not-00.txt (fwd)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 23:31:26 -0000
In article <2914DB1A-F7A3-4F1B-A2F0-DA054B4473C4@icann.org> you write: >If we can determine when something in the realm of "almost all" DNSEC signing with algorithms that use SHA-1 is >done, then it is reasonable for the WG to propose that software that validates DNSSEC can stop doing so. FWIW, the 2007 DKIM spec said that RSA keys SHOULD be at least 1024 bits but allowed 512 bits as what we intended as a short transition. In fact, vast amounts of mail continued to have 512 bit signatures and ignored all the pleas and warnings until 2012 when Google told the world that they'd stop validating 512 bit signatures. At that point in about a week, everyone fixed their signers to use 1024. The people who run DNS servers and the ones who run mail servers are often not the same, but I don't see any reason to think DNS operators are any less lazy. What this tells me is that the IETF cannot make credible threats of this kind, so don't try. People will stop signing with SHA-1 when large DNSSEC consumers stop accepting it. Comcast, perhaps. -- Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
- [DNSOP] New Version Notification for draft-fanf-d… Tony Finch
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-fa… Paul Wouters
- Re: [DNSOP] [Ext] New Version Notification for dr… Tony Finch
- Re: [DNSOP] New Version Notification for draft-fa… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-fa… Tony Finch
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Hoffman
- Re: [DNSOP] [Ext] New Version Notification for dr… Tony Finch
- Re: [DNSOP] [Ext] New Version Notification for dr… Tony Finch
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Hoffman
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Wouters
- Re: [DNSOP] [Ext] New Version Notification for dr… John Levine