IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags

Paul Hoffman <paul.hoffman@icann.org> Wed, 28 February 2024 15:08 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AD5AC14F619; Wed, 28 Feb 2024 07:08:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7-gtTcLGJUi3; Wed, 28 Feb 2024 07:08:46 -0800 (PST)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2E43C14F61C; Wed, 28 Feb 2024 07:08:46 -0800 (PST)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa3.lax.icann.org (8.17.1.24/8.17.1.24) with ESMTPS id 41SF8j9G013565 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 28 Feb 2024 15:08:46 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Wed, 28 Feb 2024 07:08:44 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.028; Wed, 28 Feb 2024 07:08:44 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: "libor.peltan" <libor.peltan=40nic.cz@dmarc.ietf.org>
CC: IETF DNSOP WG <dnsop@ietf.org>
Thread-Topic: [DNSOP] [Ext] About key tags
Thread-Index: AQHaXynQcSewI8Xfb0yAZB8Nz1aZ2bEKT0iAgAAyPYCAAStKgIAASjQAgAA/RYCAAAE8AIAAAsCAgAE2sYCAABTEgIAAGREAgAAQ3ACAEXRTAIAAGaWAgAEDeICAADa9AA==
Date: Wed, 28 Feb 2024 15:08:44 +0000
Message-ID: <0B5DAACE-62E0-4107-905F-2AAEC279C06A@icann.org>
References: <20240227202409.70647840DF26@ary.qy> <0dbcd653-878e-4726-9a89-56655f8365eb@nic.cz>
In-Reply-To: <0dbcd653-878e-4726-9a89-56655f8365eb@nic.cz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <F4C26652BCF6914ABAE7F57D4AA39346@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-28_07,2024-02-27_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ao7Z3NEEMcI_CYGWo1HNf2PepLg>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 15:08:48 -0000

On Feb 28, 2024, at 03:52, libor.peltan <libor.peltan=40nic.cz@dmarc.ietf.org> wrote:
> 
> Hi John,
> Dne 27. 02. 24 v 21:24 John Levine napsal(a):
>> The total number of domains where I found duplicate tags was 105.
>> 
>> 
> As I said earlier, is while I appreciate such research, I warn against misinterpreting it. The main point isn't about the zones that are currently experiencing a keytag-conflict; it's about the zones where there is a potential threat that they might do tomorrow (considering the case when many mainstream validating resolvers would start enforcing strong keytag-conflict-intolerance).

You quoted the less-important part of his message. The most important part was:

> The total number where there were more than two tags with the same ID was ZERO.

An operational suggestion to validators of "stop if there are more than three keytags with the same value because that seems suspicious" would solve the problem for the validators much more quickly than "wait for some years after the prohibition on issuers goes through the IETF and is then implemented". It also means we don't have to update a 20-year-old spec.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email