Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Joe Abley <jabley@hopcount.ca> Fri, 28 March 2014 13:50 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89FCC1A0923 for <dnsop@ietfa.amsl.com>; Fri, 28 Mar 2014 06:50:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B5anMM1DrdNv for <dnsop@ietfa.amsl.com>; Fri, 28 Mar 2014 06:50:52 -0700 (PDT)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id 213941A0921 for <dnsop@ietf.org>; Fri, 28 Mar 2014 06:50:52 -0700 (PDT)
Received: by mail-ig0-f169.google.com with SMTP id h18so821427igc.4 for <dnsop@ietf.org>; Fri, 28 Mar 2014 06:50:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=I9T2HKsxEOCsP8Yery/hCimG9PsXeWHYGAFaSux5u5o=; b=Yr3Ds06SBdAxCBtyXtNkaUrHmLCIm4b829eT0FE9P4Ytk9K8WL+nzOJZ6OLAY0bwWj UHY6kNp9Bghh8RuIdTeDI1Bce05D/c3tEwbYo3wf/QW0WP2b3SyF2nNsSkOlk+tN0f2r qVowfl4JyVtPg6tAy3WGiarp+Nk1L+OA4/ZuA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=I9T2HKsxEOCsP8Yery/hCimG9PsXeWHYGAFaSux5u5o=; b=cxru9WAA5h59oPmFebLP4uIcPFQ53G5hInxcUjVHcfMhCDL6JOAljFEruvomVn0zGO 4NzQEWyGeL4lWBQQMZsCcyTRwUScJxjNNOE2cyruDGChbrFZLM9MzvtZyymGuMz4LHA3 U1l9Gawr9nh2orUK5Tv0mqGyAenGV7b8dhAYDkULhU6F43lSU02LJsw3DXS+CLC6/7mQ JB0OBa5LOmAMz1OrvHkAelHiZRa0n98TtU+fc8bz9hDIm1McYda9QPKKQeTgNQ6IuXFr cstwEQ89azdHEuJg1G+BEzibBtUAM/tqsDADkLGy1pW6dmedq/AzlhT4LSkqnTWMy+E2 oQYQ==
X-Gm-Message-State: ALoCoQkdJ/Umtiuh3Ta8MqFFgIuhDkrr3YbgAMTW5sYs22ZeFCEjvDktSi/7FNq+pjez6/Ip0Hag
X-Received: by 10.43.151.7 with SMTP id kq7mr730195icc.78.1396014648843; Fri, 28 Mar 2014 06:50:48 -0700 (PDT)
Received: from ?IPv6:2001:4900:1042:1:6017:7cb3:ae80:13ee? ([2001:4900:1042:1:6017:7cb3:ae80:13ee]) by mx.google.com with ESMTPSA id vu3sm4920249igc.6.2014.03.28.06.50.47 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 28 Mar 2014 06:50:48 -0700 (PDT)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <CAMm+Lwj+B5T63C6eJuq2z3Ppn2rQNDVc_8LFw8E05A=E_7i82g@mail.gmail.com>
Date: Fri, 28 Mar 2014 09:50:45 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <669978BE-9AF3-4EB4-91E6-D5FA924CE454@hopcount.ca>
References: <0EA28BE8-E872-46BA-85FD-7333A1E13172@icsi.berkeley.edu> <4B70E4D6-6750-4E5A-9058-7F94588DEF4C@vpnc.org> <CAL9jLaaAYPfRNSmoO=G+q2JA4a2RVsV-z-0o3RFY7r+dQN-a_w@mail.gmail.com> <734640E6-6393-4EBF-BE36-5C05026027E5@icsi.berkeley.edu> <alpine.LFD.2.10.1403271535160.4908@bofh.nohats.ca> <DD41060F-0006-4452-876C-6095B4A502AA@icsi.berkeley.edu> <alpine.LFD.2.10.1403271630300.4908@bofh.nohats.ca> <alpine.LSU.2.00.1403281259440.31260@hermes-1.csi.cam.ac.uk> <CAMm+Lwj+B5T63C6eJuq2z3Ppn2rQNDVc_8LFw8E05A=E_7i82g@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/MrrEOjtcS61k-GZ2Ihs-IdYex1Y
Cc: Tony Finch <dot@dotat.at>, dnsop WG <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>, Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 13:50:53 -0000

On 28 Mar 2014, at 9:06, Phillip Hallam-Baker <hallam@gmail.com> wrote:

> Therefore ICANN needs to sign the root zone with 2048 before we consider it signed. End of story.

Small point of clarity: the only key that ICANN maintains is the 2048 bit KSK, and the only signatures ICANN makes with it are over the DNSKEY RRSet. The 1024 bit ZSKs and signatures made by those keys are handled exclusively by the Root Zone Maintainer (Verisign).

It's not clear to me that any changes would be required at ICANN to accommodate 2048 bit ZSKs. As I recall, every KSR that is submitted for processing at a ceremony is carefully tested in dry runs before the date anyway, so even the existing QA could continue unchanged.


Joe