Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-00.txt

Tom Pusateri <pusateri@bangj.com> Tue, 04 September 2018 12:45 UTC

Return-Path: <pusateri@bangj.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 402E2130E2A for <dnsop@ietfa.amsl.com>; Tue, 4 Sep 2018 05:45:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQcMx57nwlgS for <dnsop@ietfa.amsl.com>; Tue, 4 Sep 2018 05:45:49 -0700 (PDT)
Received: from oj.bangj.com (amt0.gin.ntt.net [129.250.11.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16D7F130E17 for <dnsop@ietf.org>; Tue, 4 Sep 2018 05:45:48 -0700 (PDT)
Received: from butte.mountain2sea.com (69-77-155-155.static.skybest.com [69.77.155.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id D9C672399; Tue, 4 Sep 2018 08:40:51 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Tom Pusateri <pusateri@bangj.com>
In-Reply-To: <4A37A03C-0E35-49D5-BFEB-29CFC02FD9DF@isc.org>
Date: Tue, 4 Sep 2018 08:45:45 -0400
Cc: dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <65CBA85D-725E-433F-8E49-2E7F186B4605@bangj.com>
References: <153507165910.12116.7113196606839876181.idtracker@ietfa.amsl.com> <AFB90F6F-5D99-4403-AAB6-1123727973E6@bangj.com> <EA46641B-CD22-4549-862D-CF1508B81E0A@isc.org> <4A37A03C-0E35-49D5-BFEB-29CFC02FD9DF@isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BCxfnnckKzQI7yiLTvEO3trlfD8>
Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Sep 2018 12:45:54 -0000


> On Sep 3, 2018, at 8:58 PM, Mark Andrews <marka@isc.org>; wrote:
> 
> SHAKE128 does not meet these requirements.  In OPENSSL it is only
> available in pre-release code.  It will be years before OPENSSL-1.1.1
> is the OPENSSL release for most operating systems.
> 
> We (ISC) haven’t started working out what OPENSSL-1.1.1 breaks yet.
> OPENSSL-1.1.0 broke lots of existing code.  Lots of code required
> re-writing to work with OPENSSL-1.1.0 as it broke backwards compatibility
> with OPENSSL-1.0.x.

While I understand your point, OpenSSL 1.1.1 is the first release that will contain TLS 1.3. It is binary backward compatible with 1.1.0. Aside from our trivial use of SHAKE128, everyone is going to be upgrading to 1.1.1 as soon as possible to get TLS 1.3 support. See

https://wiki.openssl.org/index.php/TLS1.3

> 
> Please pick hash algorithms that are already USED by DNS.  The results
> can be truncated if you are worried about space.
> 
> And no it isn’t as easy as just calling OPENSSL.  PKCS#11 providers
> also need to support the hash algorithm.
> 

Ok, thanks for this extra info. I will look into it.

Tom