IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Paul Hoffman <paul.hoffman@icann.org> Tue, 30 April 2024 17:38 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ED9EC16940E for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 10:38:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65lnFipE1K6J for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 10:38:33 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 285BBC14CE51 for <dnsop@ietf.org>; Tue, 30 Apr 2024 10:38:33 -0700 (PDT)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa4.dc.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 43UHc1PZ002004 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dnsop@ietf.org>; Tue, 30 Apr 2024 10:38:02 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Tue, 30 Apr 2024 10:38:28 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.028; Tue, 30 Apr 2024 10:38:27 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: dnsop <dnsop@ietf.org>
Thread-Topic: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
Thread-Index: AQHamf9cJyDt9qQ2kUys4xI5Z4PfLrF/p0GTgAB56YCAAJjVmIAAlfuA//+OOpuAAHy/AP//kCtIgACb04CAAATTgA==
Date: Tue, 30 Apr 2024 17:38:27 +0000
Message-ID: <96117264-AF60-4F2D-8EFF-260DD012F55F@icann.org>
References: <D95A2D1F-1203-4434-B643-DDFB5C24A161@icann.org> <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl> <m1s1Wur-0000LDC@stereo.hq.phicoh.net> <f0f9c0ce-2911-9b4c-0d60-47c204add2d4@nohats.ca> <m1s1mGR-0000PPC@stereo.hq.phicoh.net> <fbce2996-346f-29fa-3534-45eaa142b96e@nohats.ca> <m1s1oHu-0000LZC@stereo.hq.phicoh.net> <0a9a6466-0e66-8c1c-2133-34da5eb52812@nohats.ca> <m1s1p08-0000LZC@stereo.hq.phicoh.net> <d628274d-bedf-da04-327f-00dce3371e5c@nohats.ca>
In-Reply-To: <d628274d-bedf-da04-327f-00dce3371e5c@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <E789B79CAD53A843A05A048B0CE46ECB@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1011,Hydra:6.0.650,FMLib:17.11.176.26 definitions=2024-04-30_10,2024-04-30_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HmyZm9Fy4eoeOemgJjZRw-4G4QE>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2024 17:38:37 -0000

The people arguing for adoption seem to have two major arguments:
1) we should punish zones that sign with old algorithms by making compliant resolvers treat them as insecure
2) we should make it impossible for zones to sign or re-sign with old algorithms

#1 affects resolvers, in particular the resolver's security policies. It is based on as-yet unsupported assertions of the lack of safety for SHA-1 in DNSSEC signatures or DS records.

#2 affects signing software (and maybe authoritative software?). It is based on the fact that there is a large known set of resolvers that will treat zones signed with SHA-1 (and maybe zones covered with SHA-1 DS records?) as insecure, and the fact that there are easily-chosen alternatives that do not (yet) have this problem.

The current must-not-sha1 is worded around #1. I am currently against adoption for that reason. If it was instead worded around #2, it would be easier to support.

I am still saddened by the level of interest in these documents, at the expense of other DNSSEC-related documents that are clearly more important. We could be much closer to more stable DNSSEC operations if people showed interest in those WG drafts instead of wanting to pile on more drafts, particularly those that make DNSSEC less safe for some existing users.

--Paul Hoffman

v2.35.0 | Report a Bug | By Email | System Status