Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons

Daniel Migault <mglt.ietf@gmail.com> Thu, 31 December 2020 04:28 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D806E3A0C53 for <dnsop@ietfa.amsl.com>; Wed, 30 Dec 2020 20:28:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EuBJOK7KTZwb for <dnsop@ietfa.amsl.com>; Wed, 30 Dec 2020 20:28:17 -0800 (PST)
Received: from mail-ua1-x936.google.com (mail-ua1-x936.google.com [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E42EA3A0C52 for <dnsop@ietf.org>; Wed, 30 Dec 2020 20:28:16 -0800 (PST)
Received: by mail-ua1-x936.google.com with SMTP id a31so3411275uae.11 for <dnsop@ietf.org>; Wed, 30 Dec 2020 20:28:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UdskQsl1ZsHVkNQBu8DBKob5huauK48zobpg8XHFfDQ=; b=bpG3edB1R1lgQku1H12H5IisLasuNm2nc5pO773DqxrTNGQ00Wzc6dOOM4iZih2vf5 Q5UvzB/IwXUIF24AN+nfDx9ecKx/K8k17h4bnoRKSsrvgEnQFpvH2RLV0d9oUOdIMDb3 uSZvFbb3QAxKEQ81x9TSeeoOTl0YUDqw8DtQiM2dPGtmTApn/2hAAJpbnc2EmjT/IuZb tkw7XPG5XV/I61n3bvfW+jzc10XZPvto7agQLEiS9MzhjKQ2ec7mZ5u7dF11s1xCXQeQ 5ODfyjHaLz1RBMOhhWZcpZNTh8UqMJpr0PKitJCQaua0v/wMbPKIz1zO30ktBAllo2Gy vQ+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UdskQsl1ZsHVkNQBu8DBKob5huauK48zobpg8XHFfDQ=; b=WuWrcF1OB5Vm6LaSUcIGr2HZbOUvxkH4/mxmdLRTnLROTgkHmd5ODs0JXnk1HEYipW HHBocAiZX/+AHnkjfynz9sx8/y7Aaii/fYTAdwjJ2yL4/PWipXHzgGrrqwAsUNPbVaKP 0b+2bG3bGWtWvNTZ9oXYv6m2eHwZuZqJXg/KejUUv71f69EOenG7Xn3dNKioEYu6IhcK 3WB8bQIvLERBfHxdi6UlE+5uGnCut5ohBOVIHpe5MZ3Qob3zOuzMIRmTRKspwAIIsCCa f72r1Pv23FaKfkR8Y91Fifc+Fj9AFOrH4l0/u7I+HHOxGr3OTgEavDReQenSu1idYtGn FnCw==
X-Gm-Message-State: AOAM532dcsu1XFqm4tQGDmtUGZwGDK35rneyJC6Ds2V7th5bqsRMDnhG 3taphz1tXztd74pzw0sRmNKvI2NsKG9jJmg9Kmw=
X-Google-Smtp-Source: ABdhPJw18opSNkHsVs9gveaSz95nbbb9uCWMLylFgsiQzW/r42fbcDGqK76hOq1OsG0Wlit0uh/KTICvini8CujV5rc=
X-Received: by 2002:ab0:744b:: with SMTP id p11mr21392908uaq.68.1609388895858; Wed, 30 Dec 2020 20:28:15 -0800 (PST)
MIME-Version: 1.0
References: <CADZyTkn1QuvjencR8+wVtQ9bzQHJT9JXXNku1LPr3YRmRt4KQg@mail.gmail.com> <2E8229BE-E764-4C29-A258-8C469717E38A@nohats.ca>
In-Reply-To: <2E8229BE-E764-4C29-A258-8C469717E38A@nohats.ca>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 30 Dec 2020 23:28:04 -0500
Message-ID: <CADZyTkmKe2vPWJrHsTj9xx9EZu1BpbPZrEn7hzJp5bFc6FH4VA@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000071735505b7bb0d73"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/E8OwjhFZMRCdNjWmhJ9eRQElxpk>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2020 04:28:19 -0000

On Wed, Dec 30, 2020 at 10:22 PM Paul Wouters <paul@nohats.ca> wrote:

> On Dec 30, 2020, at 22:11, Daniel Migault <mglt.ietf@gmail.com> wrote:
> >
> > 
> > <mglt>
> > If I understand clearly the comment, it seems to say that TLS ( for
> example ) is using RFC Required and that DNSSEC should do the same. Quickly
> going through RFC 8447, I cannot find "RFC Required", so I am wondering if
> you have a specific registry in mind. As far as I can see, the TLS cipher
> suite registry requires Standard Action to set Recommended to "Y" and
> Specification Required otherwise. As a result, leaving it to Standard
> Action seems better aligned with what TLS does for "Recommended".
>
> As previously explained in this thread, you cannot compare TLS with
> DNSSEC. With TLS you can offer IETF algorithms along with a nation state
> algo, and the client can pick what it prefers.
>
> For DNSSEC, the signed zone has already made all the decisions. A DNS
> client cannot decide to use or not use its local national algo.
>
> Paul
>
<mglt>
I think you expand what was my response mentioned as:"Olafur comes with
additional differences between DNSSEC and other security protocols." So yes
that is correct. I however, do not see that contradicting that RFC Required
is not so widely used - even in other security protocols.
</mglt>

>
> > My motivation for not lowering the requirement is based on the
> specificities of DNS, that is the DNS is a system handles a global shared
> resource
>
> For those regimes who for instance are not allowed to trust RSA or
> NIST/NSA based ECC curves, you prefer those zones use no DNSSEC at all
> versus say GOST ?
>
> Because that’s what you are offering as the only choice now.
>
<mglt>
I do not understand the reasoning. I am proposing a Standard Action
requirement and as far I can see GOST [1] is Standard Track. It is unclear
to me what prevents DNSSEC being deployed with GOST.

[1] https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5933-bis/
</mglt>

>
> Paul
>
>
>

-- 
Daniel Migault
Ericsson