IETF Logo Mail Archive

Re: [DNSOP] More private algorithms for DNSSEC

"Blacka, David" <davidb@verisign.com> Fri, 15 April 2022 19:24 UTC

Return-Path: <davidb@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C724A3A0FFF for <dnsop@ietfa.amsl.com>; Fri, 15 Apr 2022 12:24:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BFAk9qPq1LhZ for <dnsop@ietfa.amsl.com>; Fri, 15 Apr 2022 12:24:40 -0700 (PDT)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE11D3A1081 for <dnsop@ietf.org>; Fri, 15 Apr 2022 12:24:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=9654; q=dns/txt; s=VRSN; t=1650050680; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=56+6VS612RlwfosVlisY3uH2mFSahJnG3UzDRTUsalc=; b=IaQnRBluU4U0gTFHLmM3qC8RbIKLBuCZFLo3p+mHITR6y7I467NRuAxN fQjJUYFfVmnVLtTN/fUrFVeafHdF3eU9qzmn/pOnEPyNYGSlW6x8LuLPS 6Qm10psEZYek2nCzlQqoG9YfbWcpUMlzt6TlZ/8U5u8iMNxspaHfFi1Ud 0R5U48sX9UXzkJKqgNSHim1ZBjVDTsXnyTBPB9UPZ5nibaipLCt8uazSR IxrDR/C8j4wff7ysrf4v0VKXD/kvH/wdLpQRD0Vfv1uHzNrpXaLmwDN29 bOHLd1ki+u5gI4sLtQNAHx2QogW2KwK8Kgb6RC5CZABa9B8ftbxEqh4n/ w==;
X-URL-LookUp-ScanningError: 1
IronPort-Data: A9a23:MeoiGqtTYzPkk0ewZoLGD7THlefnVOpeMUV32f8akzHdYApBs4E2v jNfGTXfaa7OOz2rZJktO86x6Alf7siEipMhHTLYn1l2SnNPpIzdWs/xwizYY3LIcMTNEhI84 ppGMdSecZhoHy6N9hunYrS+/HVyhPqET7akBuSeNy4uFQQ1GXd90Uo9w7Jii9Yyi4HhCAqG4 bsezyGx1HqNglaYZUpIsfrYwP8WgNzypC8A7Bt5YvtQpBnSlnYUB58FOee6KH6g6GD+99PSe wq4913Fw17x/wsxEoHi1a74cwgNSaXKewSPhXtdVrK+xBNFo3Qfkf6x3DJNaVtLk2fOlNl6x c8Lro21QBo1PuvHn+FaVgFbEmZyPKJH87LdPXPlqsya1UDKaH7txvhlBQc9J5FAz9sfPY01z hBkFQ0lbgyfn/nkh/WkVfYqisUsLcLmJp9ZsXZlihrhNq6MqDs+AP1gDHS4tAvc/fuiassyH eJEL2EHUTzAfwFXIQVQT40hg6Gkh3b+eDBCtBSeoq9wyFDolKaYe0WuaHA80TwgrG64t0CJz l4qhF8VdSz2TvTCj2Htz1qsmvPXhnG8H50NC/u09/Fri1CJ2ioYDxhRT0Oy5OSw0iaCt6lkx zspFlAG8O5pnHGDTsXhRwbq5zmboQFaV9tfEuY38h3Lwa3RpByBDy0ZR2ZrAODKz/TaMgHGr HfU2YiBOAFSjVG1dZ683uiY92+8aXFIfT8Oa38KEFBc6YS5q9w61kjDHt89QP680oSlSDr9/ WuH/XM071kxYWzn9I3gpAya3Gj8znTtZlRojukCdjv9tmuVXGMhDmCRwQCzAcxode51dXHc+ ilc8ySixLpWV8vVyHXQGL9l8IyBvJ5pDhWN2TaDILF8r1xBy1b7FWyHyGgjTKvBGp9slQ7BO Cc/iysIjHNgFCLCgZtMXm6EI59CIZ7ITo25C6+OPrKiVbAqHOOP1HkGiUe4gTixwBB0+U01E c/znc2EVR72BUn7pdYfqih0PbIDn0gDKW3vqZ/T0jr4+LezPUysV7o9GX2vP7sys4TdmVCAm zpfH5PiJxR3etfYOxbx3L5LdBYUJn8hHdb/p4pJbPWFZAFhHQnNCdeImfV4JNcjxvkO0LuYl p2+chYwJF7XiXTZKAmAQm5ucrL0XJl563k8OETAOH7xgCZ8Mdb3vM/zcbM6VKsh/q9O5MUlU sc6VMTeU/5sTA3IrmF1gZ7V6dYKmA6QrRqDIye/JiY2edhsRg7K0sfjYQb1+C8VSCGwsKMWr 7u70RvzQJcfSUJlFsm+VR6051mruyECnu9iBxKNOcdJPkDt681gLGr7lPluZd8WMhOFzTyfv +qLPSolSSD2i9dd2LH0aWqs9u9Fz8MW8pJmIlTm
IronPort-HdrOrdr: A9a23:UoIzaaDL0tLQ/87lHelx55DYdb4zR+YMi2TDsHoBLCC9E/bo9f xG88566faZslgssRIb9uxoUZPoKU80nqQFgrX5U43CYCDW/EWlK4145ZbvznnKC0TFmtJ15O NFf7JlANP9SXp3na/BijWQIpIFzMOc+K6lwd3CyWxgJDsGV4h74xxnBh2gHkp6eQlDCfMCf6 ah2g==
X-IronPort-AV: E=Sophos;i="5.90,263,1643691600"; d="p7s'?scan'208";a="13678808"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.24; Fri, 15 Apr 2022 15:24:37 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2375.024; Fri, 15 Apr 2022 15:24:37 -0400
From: "Blacka, David" <davidb@verisign.com>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
CC: dnsop WG <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] More private algorithms for DNSSEC
Thread-Index: AQHYUP5ycphYePj2lE+M8mHhH94/YQ==
Date: Fri, 15 Apr 2022 19:24:37 +0000
Message-ID: <2DF5B8EA-80E8-4732-8863-F3797A780F6D@verisign.com>
References: <5C105C71-B18C-4366-94F5-E8D60970109C@icann.org> <20B389EF-4909-43A0-9BC8-F57F5E332E8A@verisign.com> <1D59C3FB-4FCC-4A03-8E13-EA6902B14D2A@icann.org> <54622bd0dd3253187a9c9b69d0a1188a4d898bd9.camel@powerdns.com>
In-Reply-To: <54622bd0dd3253187a9c9b69d0a1188a4d898bd9.camel@powerdns.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.120.0.1.13)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_930197EF-870F-49EB-87CD-F19DFE244A98"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ORDQLcWyx3EpJdHpGXE_Jx9qGjM>
Subject: Re: [DNSOP] More private algorithms for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2022 19:24:50 -0000


> On Mar 23, 2022, at 5:45 AM, Peter van Dijk <peter.van.dijk@powerdns.com> wrote:
> 
> Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 
> 
> On Mon, 2022-03-21 at 19:32 +0000, Paul Hoffman wrote:
>> On Mar 21, 2022, at 11:34 AM, Wessels, Duane <dwessels=40verisign.com@dmarc.ietf.org> wrote:
>>> Is it in response to the DNS-OARC talk we saw about implementing PQC Falcon in PowerDNS, and they used the next unused algorithm number rather than a private algorithm?
>> 
>> Nils could have picked 253 but probably didn't even think of looking down to the bottom of the list. He was just following the time-honored pattern in the IETF. :-)
> 
> (I am not speaking for Nils, to be clear.)
> 
> 253 is not for experiments - it is for private production. It requires
> (as most of you might know) prefixing DNSKEY content with a private
> algorithm specifier that looks like a domain name (or, for 254, with a
> OID). This means if you were to use it for an experiment, your DNSKEY
> content, and thus signer and validation code, would need to be changed
> when you get a number assigned.

Hey! There is an RFC about this!  RFC 4955.

If you look that one up, you might understand why I might be aware of that one ;)  That said, I didn't remember the number.

Anyway, that RFC describes using the 253 and 254 private code points for *doing experiments*.

Although, to be clear, we weren't really thinking of new DNSSEC algorithms as experiments (those would be "backwards compatible" experiments).

> So, Paul, I support the idea behind your draft, but not the current
> wording. While more 253-like points might be somewhat useful, what we
> really need are experimental code points with non-253 semantics.

Well, we clearly don't need more code points with 253 semantics.  I can see that Paul updated it to say that (on 3/24):

   This document updates [RFC4034] to add seven more private use
   algorithms.  Unlike private use algorithm 253, there is no
   restriction on the public key area in the DNSKEY RR and the signature
   area in the RRSIG RR.  Thus, there are no domain names embdded in the
   public key or signature like there are with private use algorithm
   253.  This update brings the total number of private use algorithms
   that use the same format to eight.


> 
> 
> Kind regards,
> -- 
> Peter van Dijk
> PowerDNS.COM BV - https://secure-web.cisco.com/13BiMZSXDSomVBiVLMO81OOpFAzfdgvv6ubBC4kBzp0MFNVxHAjB-U0ggojjjGqRr633YTsQpP9EWS2fps_2PkDMl4Npp7TAkKrLQ2C7KPz71WB0XyUMrEira9LFixKJ542ReDXMA1xPBeIa1jrOCzOmcw2DovEmQ9MAC7IlFW1c37fpfSq7bAfpavOsW26_IDGIlwEGzkC77lfGns3pefv-h8jqziBjFgyH6i56EY5jDjBvamSiQ-HHL8SWzOYmC/https%3A%2F%2Fwww.powerdns.com%2F
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://secure-web.cisco.com/1vz4IYPF5-AIZvqtpsjPMKkgkz9QGkTMr5dT5w0nf5ZDaqS_-qldXesfTCcYQTeol3_NPfK3d9YqfbymSWVcfqDXTQlEmOrmNcN29FH9mGE68sjotlov22qiIl-4g_pIeY73R3IbIT0QJIVEpHXwTh2GeQ3r2InHV8vx0alG_5MogRrlrzX6b22SzZs2I5zkD1YgxbPt2ZPPGoo8ts3_4o2szbVNxORxLJjnkQPMkXYMyHRODX1hCyIaba4_YgTtm/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdnsop
> 

--
David Blacka                      <davidb@verisign.com> 
Verisign Fellow            Verisign Product Engineering

v2.23.0 | Report a Bug | By Email