[DNSOP] Signaling Cryptographic Algorithm Understanding (Was: key lengths for DNSSEC)

Steve Crocker <steve@shinkuro.com> Fri, 04 April 2014 18:59 UTC

Return-Path: <steve@shinkuro.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1B451A01FC for <dnsop@ietfa.amsl.com>; Fri, 4 Apr 2014 11:59:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.782
X-Spam-Level:
X-Spam-Status: No, score=-0.782 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DSL=1.129, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XtzxEbhNgaHG for <dnsop@ietfa.amsl.com>; Fri, 4 Apr 2014 11:59:33 -0700 (PDT)
Received: from execdsl.com (remote.shinkuro.com [50.56.68.178]) by ietfa.amsl.com (Postfix) with ESMTP id 24F871A028E for <dnsop@ietf.org>; Fri, 4 Apr 2014 11:59:32 -0700 (PDT)
Received: from dummy.name; Fri, 04 Apr 2014 18:59:28 +0000
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Steve Crocker <steve@shinkuro.com>
In-Reply-To: <alpine.LSU.2.00.1404041725310.31260@hermes-1.csi.cam.ac.uk>
Date: Fri, 04 Apr 2014 14:59:27 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <EDBB3F33-4B1E-4502-B22F-547B7428914C@shinkuro.com>
References: <78F386B0-BC6B-4159-B9D4-4BFEB10252A6@rfc1035.com> <1D0A45EF-E5D3-468D-BA08-E45FEF4399DE@dnss.ec> <3F49416C-2FE2-4A36-AD0B-3A52E7A7C3FB@icsi.berkeley.edu> <20140402204505.GR13586@registro.br> <alpine.LSU.2.00.1404041725310.31260@hermes-1.csi.cam.ac.uk>
To: IETF DNSOP WG <dnsop@ietf.org>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/AVO0n8UiIX7oGtTZnHxqAVNiQoY
Cc: "Stephen D. Crocker" <steve@shinkuro.com>
Subject: [DNSOP] Signaling Cryptographic Algorithm Understanding (Was: key lengths for DNSSEC)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Apr 2014 18:59:37 -0000

Perhaps this a good time for me to plug adoption of Signaling Cryptographic Algorithm Understanding, per RFC 6975.  The sooner this gets included in the implementation on the query side, the sooner we will have solid information on when it will be ok to phase out an obsolete algorithm.

This is not directly related to changes in key lengths, but it is relevant for the shifts from one algorithm to another, including changes in hash algorithms.

Steve



On Apr 4, 2014, at 12:28 PM, Tony Finch <dot@dotat.at> wrote:

> Frederico A C Neves <fneves@registro.br> wrote:
>> On Wed, Apr 02, 2014 at 04:25:10PM -0400, Nicholas Weaver wrote:
>>> 
>>> IMO they do until validators record and use a 'root key ratchet':
>>> never accept a key who's expiration is older than the inception date
>>> of the RRSIG on the youngest root ZSK seen, or have some other defense
>>> to roll-back-the-clock attacks.
>> 
>> What do you mean by "..key who's expiration is.."? A new propertie
>> recorded at this "ratchet", btw what is this?
> 
> I assume he means that the ratchet would observe when a key is no longer
> published in the DNSKEY RRset and treat it as implicitly revoked.
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> Portland, Plymouth: South 4 or 5, occasionally 6 in Plymouth. Slight or
> moderate. Rain, fog patches later. Moderate or poor, occasionally very poor.
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop