Re: [DNSOP] draft-yorgos-dnsop-dry-run-dnssec-00 and DS digest field

Willem Toorop <> Mon, 04 April 2022 08:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A89503A1AEA for <>; Mon, 4 Apr 2022 01:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id z7OJ9NrDt62i for <>; Mon, 4 Apr 2022 01:38:29 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8DCB13A1AF2 for <>; Mon, 4 Apr 2022 01:38:28 -0700 (PDT)
Received: by with SMTP id bh17so18294890ejb.8 for <>; Mon, 04 Apr 2022 01:38:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=9vUyaWmDi1ZW/OrOfXzCvvA3t7D6iDBVH8Hk4/mpe6Q=; b=byIeErPi5tI8iLG5VGTNQfv3mC62105kUJSXDRGwyZ81qgiGj3G6pus1q5avqyrJ9h L8/kJqMwuoPxuXCdsDRNEdHUheR7houk3MKtn2uaXS+gHbVWsUqdouLpwi1pVqsB2GXY ghePIqpB2DtmRlGLqt6r7JJoInSHkYPS/BNnYdAlFEQrNqPQDD1uSn9weFWMBUhEi6UK YQhE6qQMN20r4bWOCYTVI7mBxgpiDOHNX90M28XXC5jpZIpfZSDe3mlHxeAYBDUT9ZYF +bXutBIZTKXuUP4xu1Dy7yvOh9vVA8HFYKeoMvm+MM7VWtXHR//3CSnHI7ORQ3fW67nA JHYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=9vUyaWmDi1ZW/OrOfXzCvvA3t7D6iDBVH8Hk4/mpe6Q=; b=JTUgb2UBzP0EqPPras5J653C8FJwwhWUrpewuiDis6zhvdfIBCo1E+OVGaprsjBj5Y ced9J9yufxx/o8GX7fMs9SGWr+W5UuIcSzLR4tpx7itS0RXm4vwEUyeDbl2pC/K6NDeX MkCgMiMyI2xWWQMe0XRB0vOFekpd6uNDINRufmVrO+CuQQQe/wKGRt9xx5J51qjVR7vJ U8BZCIYjUSTajlW1xtrqPtMU8XaSzGU/jrNx4Lg6spErO39wVOIglLzWGYi43M3JnPUI U7gFc9263aF832JVX4cL+iureFjUq0EiJYav/62s2GCcqEVVTAyqhcQkG0n5Kj3iOjUk aUSg==
X-Gm-Message-State: AOAM5336SFwQOXS3zudbJqZRfz2AshdutrOu1EFYPST7l+PwnRycdFYE BqHyRQLhqQdAqpXly85rLcUeUA==
X-Google-Smtp-Source: ABdhPJyb/YBCnK/xNdV/6Q3m5s6eZjx6Q0+3ebdW2wPJ9CpU/Ve4N5B2sHMVcFk4z9wOcGz5XNa9hQ==
X-Received: by 2002:a17:907:6d8b:b0:6e7:5610:d355 with SMTP id sb11-20020a1709076d8b00b006e75610d355mr5973806ejc.369.1649061507052; Mon, 04 Apr 2022 01:38:27 -0700 (PDT)
Received: from ?IPV6:2a04:b900::760? ([2a04:b900::760]) by with ESMTPSA id w14-20020a509d8e000000b0041cd217726dsm1254020ede.4.2022. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 Apr 2022 01:38:26 -0700 (PDT)
Message-ID: <>
Date: Mon, 04 Apr 2022 10:38:24 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: "libor.peltan" <>, dnsop <>
References: <>
From: Willem Toorop <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] draft-yorgos-dnsop-dry-run-dnssec-00 and DS digest field
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Apr 2022 08:38:40 -0000

Thanks Libor,

I'm planning to create an overview of all the feedback and proposed
solutions to our issues we've had since IETF113 (including your
proposal), discuss that with the co-authors, and then post that to dnsop
together with an announcement that we're working on this.


-- Willem

Op 30-03-2022 om 16:58 schreef libor.peltan:
> Hi dnsop, Yorgos, Willem, Roy,
> I really like this idea of dry-run DNSSEC. I think it could really help
> new DNSSEC adopters.
> The evidently weird thing of the proposal is the displacement of DS
> digest field into the first byte of DS hash field, in order to free up
> space for dry-run signalling. This will cause difficulties in human
> readability of resulting DS. The obvious counter-proposal would be to
> simply take the most-significant bit of the DS digest field (set to 1
> for dry-run), which would take 128 of available DS digest numbers
> (instead of just one), but wouldn't otherwise introduce any
> inconsistencies in DS format. As only four are taken so far, it seems
> viable to me.
> Should we (dnsop) discuss this specific matter, or even poll?
> Thanks,
> Libor
> _______________________________________________
> DNSOP mailing list