Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
Paul Wouters <paul@nohats.ca> Tue, 30 April 2024 14:46 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3316C14F619 for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 07:46:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.73
X-Spam-Level:
X-Spam-Status: No, score=-3.73 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0ZssUg7FylT for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 07:46:54 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB83AC14F617 for <dnsop@ietf.org>; Tue, 30 Apr 2024 07:46:54 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4VTNM12qRgzCB0; Tue, 30 Apr 2024 16:46:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1714488413; bh=huExDyWbkIHXUHY/n9Rz6Xxv8uvADzFirWFqioXIc78=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=IJDOPLNe9WzbzcZX+l/5gT982eD1/OfJJG5HMFyl3Y2PorFq1K1YTucD2vUR76EnF 2n9N8v4Q8AA1/32ZrJuR+x6u6rhQqLEeCuI8h05hk+qQc5yJ96xOPBPw3EsKSXtCqZ mfr24C8h99hMAmvjzDfO0zqA7WU+xfKTQZTxUNoU=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id QfnAs8oR_KV9; Tue, 30 Apr 2024 16:46:52 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 30 Apr 2024 16:46:52 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 94D2711DE547; Tue, 30 Apr 2024 10:46:51 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 93D1611DE546; Tue, 30 Apr 2024 10:46:51 -0400 (EDT)
Date: Tue, 30 Apr 2024 10:46:51 -0400
From: Paul Wouters <paul@nohats.ca>
To: Mark Andrews <marka@isc.org>
cc: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>, dnsop@ietf.org
In-Reply-To: <899D42FA-5E94-4077-B5E3-719220EB9235@isc.org>
Message-ID: <1bcb5629-32e2-4653-157a-2d7330568525@nohats.ca>
References: <fbce2996-346f-29fa-3534-45eaa142b96e@nohats.ca> <899D42FA-5E94-4077-B5E3-719220EB9235@isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HFg3Be6qFovGXkR8NlCen2BiE7o>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2024 14:46:59 -0000
On Wed, 1 May 2024, Mark Andrews wrote: > One got servfail because validators where not aware that support was ripped away underneath it. Validators started to get errors that where totally unexpected. Performing runtime testing of algorithm support addressed that by allowing the validator to skip the unsupported algorithm. The runtime check for SHA1 helped put RSA-SHA1 / NSEC3-RSA-SHA1 into the "unsupported" category, but RSA-SHA256 with NSEC3 still uses SHA1 for hashing the QNAME, and while not cryptogrpahic use, still had problems in practise. I don't remember the full details, but I think it related to wildcard proofs of non-existence of some kind, leading to validation failures. Paul
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Wouters
- [DNSOP] Call for Adoption: draft-hardaker-dnsop-r… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-hardaker-dns… Paul Wouters
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Hoffman
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Joe Abley
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Hoffman
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Hoffman
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Philip Homburg
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Wouters
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Wouters
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Wes Hardaker
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Hoffman
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Joe Abley
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Wouters
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Mark Andrews
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Hoffman
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Wes Hardaker
- Re: [DNSOP] Questions before adopting must-not-sh… Paul Wouters
- Re: [DNSOP] Questions before adopting must-not-sh… jabley
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… S Moonesamy
- [DNSOP] Questions before adopting must-not-sha1 Paul Hoffman
- Re: [DNSOP] Questions before adopting must-not-sh… Philip Homburg
- Re: [DNSOP] Questions before adopting must-not-sh… John Levine
- Re: [DNSOP] Questions before adopting must-not-sh… Philip Homburg
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Wouters
- Re: [DNSOP] Call for Adoption: draft-hardaker-dns… Wes Hardaker
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Wouters
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Mark Andrews
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Peter Thomassen
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… John R Levine
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Scott Morizot
- [DNSOP]Re: [Ext] Re: Questions before adopting mu… Kim Davies
- Re: [DNSOP] Questions before adopting must-not-sh… Peter Thomassen
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Peter Thomassen
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Peter Thomassen
- [DNSOP] Re: Call for Adoption: draft-hardaker-dns… Tim Wicinski
- [DNSOP] Re: Questions before adopting must-not-sh… Petr Menšík
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Wouters
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Mark Andrews
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Wouters
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Peter Thomassen
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Philip Homburg
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… John Levine
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Philip Homburg
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… John R Levine
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Scott Morizot
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Scott Morizot
- Re: [DNSOP] Call for Adoption: draft-hardaker-dns… Mark Andrews
- [DNSOP] Re: Questions before adopting must-not-sh… Philip Homburg
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Philip Homburg
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Joe Abley
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Scott Morizot
- [DNSOP] Re: [Ext] Call for Adoption: draft-hardak… Petr Menšík
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Peter Thomassen
- [DNSOP] Re: Questions before adopting must-not-sh… Steve Crocker
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Philip Homburg
- [DNSOP] Re: Questions before adopting must-not-sh… Philip Homburg
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Philip Homburg
- [DNSOP] Re: Questions before adopting must-not-sh… Steve Crocker
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… John R Levine
- [DNSOP] Re: Questions before adopting must-not-sh… Peter Thomassen
- [DNSOP] Re: Questions before adopting must-not-sh… Petr Menšík
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Wouters
- [DNSOP] Re: Questions before adopting must-not-sh… Philip Homburg
- [DNSOP] Re: Questions before adopting must-not-sh… Petr Menšík
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Philip Homburg
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Paul Hoffman
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Philip Homburg
- [DNSOP] Re: Questions before adopting must-not-sh… Paul Wouters
- Re: [DNSOP] [Ext] Call for Adoption: draft-hardak… Mark Andrews
- [DNSOP] Re: Questions before adopting must-not-sh… Petr Menšík