Re: [DNSOP] [Ext] DNSSEC Strict Mode
Ulrich Wisser <ulrich@wisser.se> Wed, 24 February 2021 15:01 UTC
Return-Path: <ulrich@wisser.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32DCA3A16B9 for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 07:01:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wisser.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4qKgvAaKhkj8 for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 07:01:54 -0800 (PST)
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [80.241.56.172]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E29D3A16B7 for <dnsop@ietf.org>; Wed, 24 Feb 2021 07:01:30 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4Dlzdh5MjzzQlTT; Wed, 24 Feb 2021 16:01:28 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisser.se; s=MBO0001; t=1614178886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=zwK1wZe/Fea4O3UGQynnzlhvI15sJG8KbJdKHCelIC4=; b=iUBEkFAqsUDFDideOw5sBNvEp1Z+ZziTjYH/JLgf1eDCI53lOqTO2FjqC+7zryNiDVMSnG 0+r4Kj2E16km1d7njWK/RUTrUpnbkgRvQJdU6cOtxE9SFDDxoPtkdj4CvvomkDQ90iNdm7 PM9ZbG04bkpKlAMnUmNlSc/TBaUxFe1h3kVSq1KXOexQGKxaOvCdIMbyzoUI0jWxj3q+2Z dOHsJ1J3/Fv+V3QVcW2Pl7rursz62caMv/nPjebbDRusUm5kaUx28NV8coZGNn2Krr1FbZ AMOkA63JmzF3mIIV42N57yXhHrt1xInnXX/isjDI62yzqNIwrKN4qSGz6PUheA==
Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter05.heinlein-hosting.de (spamfilter05.heinlein-hosting.de [80.241.56.123]) (amavisd-new, port 10030) with ESMTP id pxkObZFwEt2D; Wed, 24 Feb 2021 16:01:24 +0100 (CET)
From: Ulrich Wisser <ulrich@wisser.se>
Message-Id: <02CAFAF2-BD58-48D4-B9CC-DD06EB99357B@wisser.se>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1D4580DC-95CA-4C92-8F3F-22B604D48924"
Mime-Version: 1.0
Date: Wed, 24 Feb 2021 16:01:21 +0100
In-Reply-To: <CAHbrMsBsG8OnXOXwAFY5eNf-0viQ_e5nKKhp1XVpnpMkGW1L-Q@mail.gmail.com>
Cc: Samuel Weiler <weiler@watson.org>, Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <7BB07063-2CA3-4283-8866-2B19A7AAA9A0@icann.org> <45e3c45-d324-8124-5dae-98acba9dd7cb@watson.org> <CAHbrMsBsG8OnXOXwAFY5eNf-0viQ_e5nKKhp1XVpnpMkGW1L-Q@mail.gmail.com>
X-MBO-SPAM-Probability: **
X-Rspamd-Score: 2.03 / 15.00 / 15.00
X-Rspamd-Queue-Id: 429521860
X-Rspamd-UID: e66ca7
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PfuWfqB_xBaxX1yNmdZWav3yOYw>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 15:01:57 -0000
> On 23 Feb 2021, at 17:49, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote: > > > > On Tue, Feb 23, 2021 at 11:21 AM Samuel Weiler <weiler@watson.org <mailto:weiler@watson.org>> wrote: > ... > Recognizing that I'm likely biased by my history of working on the > current "mandatory algorithm rules", I don't buy the need for this > complexity. In practice our "weak" algorithms aren't _that_ weak. > And, if they are, we might as well stop signing with them entirely. > > I think that was true for a long time, but I'm not sure it's still true, or will stay true. I'm particularly motivated by the ongoing discussion about adding Algorithms to the registry [1], and a recent overview of Post-Quantum cryptography for DNSSEC [2]. Also, 829-bit RSA was factored last year [3]. Validator update timelines are Very Slow, so we should be thinking about adding features we might need before we need them. > > Even if we are currently in a state where zone owners feel like they have simple, safe choices, I don't think we should assume that this will remain true indefinitely. > > This seems like unnecessary further loading of the camel. > > FWIW, my preference would be to simply remove the lax-validation rule from RFC 6840, which would simplify the standard overall ... but there must have been a good reason for it. Strict Mode might be a stepping-stone in that direction. Not only am I in favor of the RFC6840 lax validation, it is in fact necessary for secure DNSSEC operation. In fact I believe the RFC 4035 needs to be updated to explicitly allow algorithms without signatures. At the current state of dnssec RFC definitions it is unclear how you could change DNS operators securely if these operators do not sign the zone with the same algorithm. > Ben, if you decide to persist with this idea, I've filed some issues > in your GH repo. > > Thanks! > > [1] https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dnssec-iana-cons-00 <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dnssec-iana-cons-00> > [2] https://indico.dns-oarc.net/event/37/contributions/811/ <https://indico.dns-oarc.net/event/37/contributions/811/> > [3] https://en.wikipedia.org/wiki/RSA_numbers#RSA-250 <https://en.wikipedia.org/wiki/RSA_numbers#RSA-250>_______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode Petr Špaček
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] DNSSEC Strict Mode Ralf Weber
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Wes Hardaker
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Bob Harold
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- [DNSOP] Fwd: [Ext] DNSSEC Strict Mode Ulrich Wisser
- [DNSOP] signalling mandatory DNSSEC in the parent… Jim Reid
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Paul Wouters
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Havard Eidnes
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser