Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons

Stephen Farrell <> Thu, 31 December 2020 22:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 327E23A0C22 for <>; Thu, 31 Dec 2020 14:09:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aZvK5zBVi6GH for <>; Thu, 31 Dec 2020 14:09:16 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4E51F3A0C12 for <>; Thu, 31 Dec 2020 14:09:15 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id DECBCBE4D; Thu, 31 Dec 2020 22:09:13 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5yTKSES3AKqe; Thu, 31 Dec 2020 22:09:12 +0000 (GMT)
Received: from [] ( []) by (Postfix) with ESMTPSA id E1C71BE4C; Thu, 31 Dec 2020 22:09:11 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1609452552; bh=MegXKa02LbVjtboeVbJnW0FNImPI8tjDqk5ZH9OOOt8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=efwNnMHd5qqWda9toGq5WU5LBTOLwSvOZDfxDpbleXFDL0rf+R/gIPNuPfZlDj3SC xEw81JkzxqLlDjaspLMR8i18PA5gs8i40W/K7DtcIGSBBp1K5JOzUctWuJ6XoT5yhW BnUX3SMxX+aMJXqjLBoSSIpkcsCBl7N6fqowhv44=
To: Eric Rescorla <>, Paul Wouters <>
Cc: Paul Hoffman <>, dnsop <>, Daniel Migault <>
References: <> <> <>
From: Stephen Farrell <>
Message-ID: <>
Date: Thu, 31 Dec 2020 22:09:11 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="Mc3S2kHTgdivPKVd0QT03yqQtkrr1f9Qw"
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Dec 2020 22:09:18 -0000


On 31/12/2020 21:48, Eric Rescorla wrote:
> 1. Don't allocate a code point at all
> 2. Allocate the code point but in some manner that makes clear
>     we don't endorse it (effectively what TLS does for algorithms
>     like this)
> 3. Allocate the code point without comment

FWIW, I kind of agree with ekr, both as to the options
and on my current preference to not too easily loosen
up for DNSSEC.

That said, I wonder as to the actual deployment of algs
that we'd not recommend, especially given the relative
scarcity of DNSSEC signing.

Does anyone have a pointer to survey-like material that
has a focus on rarer algorithms in DNSSEC? One reason to
ask is that from a first glance it looks to me like .ru
isn't using gost, which would be telling, if correct.

To be clear: I don't think spending much time debating
how to handle algs for an infinitesimal number of zones
is that worthwhile, so that'd be another reason to prefer
the status quo, if that is the case.