Re: [DNSOP] review: draft-wessels-dns-zone-digest-04.txt

"A. Schulze" <sca@andreasschulze.de> Thu, 01 November 2018 15:18 UTC

Return-Path: <sca@andreasschulze.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53EA51294D0 for <dnsop@ietfa.amsl.com>; Thu, 1 Nov 2018 08:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=andreasschulze.de header.b=n5tFpHzE; dkim=pass (2048-bit key) header.d=andreasschulze.de header.b=jgjkYpZ/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMa-i1DfiwmX for <dnsop@ietfa.amsl.com>; Thu, 1 Nov 2018 08:18:49 -0700 (PDT)
Received: from mta.somaf.de (mta.somaf.de [IPv6:2001:470:77b3:103::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC2B8128C65 for <dnsop@ietf.org>; Thu, 1 Nov 2018 08:18:48 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=andreasschulze.de; i=@andreasschulze.de; q=dns/txt; s=ed25519; t=1541085526; h=subject : to : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding : subject : from : date; bh=ykky7b3yLESQ3mJ/hhtO3dKLYiYX+QYMA5Kv9BVBl6k=; b=n5tFpHzEdeH276bciawTzlbtP/Z6q5C3E/McV/EvXnIImTElZz42UiUd aIB/nEqZrvNDVQhQ8k04btT1TmWBCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=20180930-2EE7; t=1541085526; x=1546085526; bh=ykky7b3yLESQ3mJ/hhtO3dKLYiYX+QYMA5Kv9BVBl6k=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To: Content-Type:from:reply-to:subject:date:to:cc:content-type: message-id; b=jgjkYpZ/NHj70Tg7M2Nh1M3FDGr1jOH264svNdb6m+HTvZvZTZG8+ss9e6NhncL9Q E68F2xZmzH95xNr5qoaJAPqZe3Z7T0MxVowJpYH+aNVHh7NkbPXKdyE5d0giIeN1e4 1N+IMNAqYy+ty1tP3K0/wUO5H32Fz38ZvjBF8UPeKROvnZKQqT80mzRbrJB3BtQaDl P6dgCC5gHOVZFJsto08bE22/1G4U4hZdZjL+vJOSyv11NxeDk1tbWWDcwC3KptRWa1 QOe63dB9G6tXEaJx9fNiwpYrJVeMrM77cC7huvbIJyGqPiygrSZvRbwFZ6RbY3/AjO T2JqN/YSCNBfQ==
To: dnsop@ietf.org
References: <154020795105.15126.7681204022160033203@ietfa.amsl.com> <DD4AADA8-A23A-4C2C-9F0D-401CA5A51745@hopcount.ca> <509F5E08-5EDF-4A54-BB34-A76BA390F01D@verisign.com>
From: "A. Schulze" <sca@andreasschulze.de>
Message-ID: <263f71ee-05ab-84e1-bb61-4139941b4346@andreasschulze.de>
Date: Thu, 1 Nov 2018 16:18:22 +0100
MIME-Version: 1.0
In-Reply-To: <509F5E08-5EDF-4A54-BB34-A76BA390F01D@verisign.com>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HoKSOSvWDUcS8LtK5qPjj9HBqb0>
Subject: Re: [DNSOP] review: draft-wessels-dns-zone-digest-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 15:18:51 -0000


Am 01.11.18 um 00:03 schrieb Wessels, Duane:
> I think you might be the first person to argue for supporting multiple ZONEMD algorithms per zone. I actually expected more.

I remember Stephen Farrell saying something like "while designing new protocols, algorithm agility is an important point"
We see the results today in DKIM and DNSSEC. It's really hard to change crypto primitives.

Andreas