Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons

Daniel Migault <> Thu, 31 December 2020 04:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D806E3A0C53 for <>; Wed, 30 Dec 2020 20:28:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EuBJOK7KTZwb for <>; Wed, 30 Dec 2020 20:28:17 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E42EA3A0C52 for <>; Wed, 30 Dec 2020 20:28:16 -0800 (PST)
Received: by with SMTP id a31so3411275uae.11 for <>; Wed, 30 Dec 2020 20:28:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UdskQsl1ZsHVkNQBu8DBKob5huauK48zobpg8XHFfDQ=; b=bpG3edB1R1lgQku1H12H5IisLasuNm2nc5pO773DqxrTNGQ00Wzc6dOOM4iZih2vf5 Q5UvzB/IwXUIF24AN+nfDx9ecKx/K8k17h4bnoRKSsrvgEnQFpvH2RLV0d9oUOdIMDb3 uSZvFbb3QAxKEQ81x9TSeeoOTl0YUDqw8DtQiM2dPGtmTApn/2hAAJpbnc2EmjT/IuZb tkw7XPG5XV/I61n3bvfW+jzc10XZPvto7agQLEiS9MzhjKQ2ec7mZ5u7dF11s1xCXQeQ 5ODfyjHaLz1RBMOhhWZcpZNTh8UqMJpr0PKitJCQaua0v/wMbPKIz1zO30ktBAllo2Gy vQ+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UdskQsl1ZsHVkNQBu8DBKob5huauK48zobpg8XHFfDQ=; b=WuWrcF1OB5Vm6LaSUcIGr2HZbOUvxkH4/mxmdLRTnLROTgkHmd5ODs0JXnk1HEYipW HHBocAiZX/+AHnkjfynz9sx8/y7Aaii/fYTAdwjJ2yL4/PWipXHzgGrrqwAsUNPbVaKP 0b+2bG3bGWtWvNTZ9oXYv6m2eHwZuZqJXg/KejUUv71f69EOenG7Xn3dNKioEYu6IhcK 3WB8bQIvLERBfHxdi6UlE+5uGnCut5ohBOVIHpe5MZ3Qob3zOuzMIRmTRKspwAIIsCCa f72r1Pv23FaKfkR8Y91Fifc+Fj9AFOrH4l0/u7I+HHOxGr3OTgEavDReQenSu1idYtGn FnCw==
X-Gm-Message-State: AOAM532dcsu1XFqm4tQGDmtUGZwGDK35rneyJC6Ds2V7th5bqsRMDnhG 3taphz1tXztd74pzw0sRmNKvI2NsKG9jJmg9Kmw=
X-Google-Smtp-Source: ABdhPJw18opSNkHsVs9gveaSz95nbbb9uCWMLylFgsiQzW/r42fbcDGqK76hOq1OsG0Wlit0uh/KTICvini8CujV5rc=
X-Received: by 2002:ab0:744b:: with SMTP id p11mr21392908uaq.68.1609388895858; Wed, 30 Dec 2020 20:28:15 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Daniel Migault <>
Date: Wed, 30 Dec 2020 23:28:04 -0500
Message-ID: <>
To: Paul Wouters <>
Cc: Paul Hoffman <>, dnsop <>
Content-Type: multipart/alternative; boundary="00000000000071735505b7bb0d73"
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Dec 2020 04:28:19 -0000

On Wed, Dec 30, 2020 at 10:22 PM Paul Wouters <> wrote:

> On Dec 30, 2020, at 22:11, Daniel Migault <> wrote:
> >
> > 
> > <mglt>
> > If I understand clearly the comment, it seems to say that TLS ( for
> example ) is using RFC Required and that DNSSEC should do the same. Quickly
> going through RFC 8447, I cannot find "RFC Required", so I am wondering if
> you have a specific registry in mind. As far as I can see, the TLS cipher
> suite registry requires Standard Action to set Recommended to "Y" and
> Specification Required otherwise. As a result, leaving it to Standard
> Action seems better aligned with what TLS does for "Recommended".
> As previously explained in this thread, you cannot compare TLS with
> DNSSEC. With TLS you can offer IETF algorithms along with a nation state
> algo, and the client can pick what it prefers.
> For DNSSEC, the signed zone has already made all the decisions. A DNS
> client cannot decide to use or not use its local national algo.
> Paul
I think you expand what was my response mentioned as:"Olafur comes with
additional differences between DNSSEC and other security protocols." So yes
that is correct. I however, do not see that contradicting that RFC Required
is not so widely used - even in other security protocols.

> > My motivation for not lowering the requirement is based on the
> specificities of DNS, that is the DNS is a system handles a global shared
> resource
> For those regimes who for instance are not allowed to trust RSA or
> NIST/NSA based ECC curves, you prefer those zones use no DNSSEC at all
> versus say GOST ?
> Because that’s what you are offering as the only choice now.
I do not understand the reasoning. I am proposing a Standard Action
requirement and as far I can see GOST [1] is Standard Track. It is unclear
to me what prevents DNSSEC being deployed with GOST.


> Paul

Daniel Migault