IETF Logo Mail Archive

Re: [DNSOP] More private algorithms for DNSSEC

Nils Wisiol <nils@desec.io> Mon, 28 March 2022 08:50 UTC

Return-Path: <nils@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCA933A1064 for <dnsop@ietfa.amsl.com>; Mon, 28 Mar 2022 01:50:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MdqW89IUXmW1 for <dnsop@ietfa.amsl.com>; Mon, 28 Mar 2022 01:50:11 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E81083A107F for <dnsop@ietf.org>; Mon, 28 Mar 2022 01:50:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:MIME-Version:Content-Type:References: In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vHVrexRB3hkgmGDfBjRYekqucYyPqpyhOKfGG5Ue/Uc=; b=zGF2nPI1PAIJVJ2qeyUzQEhKpW c6+oe4qpvUtLsIhjslPHXq5BbcbYEQOJILz8pBAZ3TbR7h7jZ7zuE/BGVD0Yo2KBQR0qleubP4j+A xJvNrGqKjqtyRnsuulXPJDX0QvEOLRPMGaRdH/psqVNHxjI2gBbpcBX5bqwujqC4lt+BmjfXJGcPq IsAVFBjp45MgR9Y9Nb2AFWmdWEVpYNhXMIY2eLIM6Lh/kXpR+2oBiEqp+a7+l47U5jNBP3IhMAfZh 03MjQLe8LfkqtC6Lxp9PfhpcmmVjBAYX/5Rn2SXblzpoF5DYiOJ6kLD//oM1HlvmsZlTv5M+IFuva w3+yBpxA==;
Received: from [2a02:8109:b03f:e20c:3c2a:2bfe:f5fb:ae67] (helo=tp) by mail.a4a.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <nils@desec.io>) id 1nYl4a-0005HY-LO; Mon, 28 Mar 2022 10:50:00 +0200
Message-ID: <4569337c067704e1c609850779ba7bfe75a35d58.camel@desec.io>
From: Nils Wisiol <nils@desec.io>
To: Mark Andrews <marka@isc.org>, Peter van Dijk <peter.van.dijk@powerdns.com>
Cc: dnsop WG <dnsop@ietf.org>
Date: Mon, 28 Mar 2022 10:50:01 +0200
In-Reply-To: <CC878AFE-3B67-49D9-9A9E-F3D21BC900FB@isc.org>
References: <5C105C71-B18C-4366-94F5-E8D60970109C@icann.org> <20B389EF-4909-43A0-9BC8-F57F5E332E8A@verisign.com> <1D59C3FB-4FCC-4A03-8E13-EA6902B14D2A@icann.org> <54622bd0dd3253187a9c9b69d0a1188a4d898bd9.camel@powerdns.com> <CC878AFE-3B67-49D9-9A9E-F3D21BC900FB@isc.org>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.36.5-0ubuntu1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Esm-7MUXm39JhMgk4oYv-FhPWRI>
Subject: Re: [DNSOP] More private algorithms for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 08:50:25 -0000

On Mon, 2022-03-28 at 12:23 +1100, Mark Andrews wrote:
> Please quote where it is stated that “private is not for
> experimentation”.
> 
> 
> 
> Private is private.  Do what you want with it as long as you identify
> the
> 
> the algorithm uniquely and that includes experimental
> implementations.

Hi Mark,

my understanding of 'private' is that I cannot have any expectations on
how the resolver will treat it. Hence, when experimenting with new
DNSSEC algorithms, 'private' is not the behavior I am interested in.
Instead, I am interested how the resolver would treat my new algorithm
if it was assigned a (regular, non-private) code point.

Arguing that resolvers would behave the same on unknown code points and
private code points is difficult, as a large portion of users use
closed-source implementations. You said yourself that BIND "currently"
treats 253 as unknown; so different behavior is conceivable? This
uncertainty can be partially addressed by reserving some code points
for "unknown algorithms" behavior (rather than the semantics of 253).

While this will not solve all concerns with such studies, I'm not aware
of significant downsides to reserving more code points. (Other than
running out of numbers, do you have any other concern?)

Alternatively, people can just used unassigned numbers. I did that
recently, and my impression was that people read that as me trying to
create facts for a future official number assignment -- an impression
that I did not intend to make and would like to avoid in the future.

Best,
Nils


-- 
deSEC e.V. · Kyffhäuserstr. 5 · 10781 Berlin · Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525

v2.38.3 | Report a Bug | By Email | System Status