Re: [DNSOP] ECDSA woes
Mark Andrews <marka@isc.org> Sun, 16 October 2016 22:31 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE4B21294CE for <dnsop@ietfa.amsl.com>; Sun, 16 Oct 2016 15:31:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.332
X-Spam-Level:
X-Spam-Status: No, score=-7.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubOqvscK_E9h for <dnsop@ietfa.amsl.com>; Sun, 16 Oct 2016 15:31:20 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60AA5129481 for <dnsop@ietf.org>; Sun, 16 Oct 2016 15:31:20 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 6392E3493C7; Sun, 16 Oct 2016 22:31:12 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id D2631160048; Sun, 16 Oct 2016 22:31:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id B749A160074; Sun, 16 Oct 2016 22:31:11 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id VftT1V51NIYj; Sun, 16 Oct 2016 22:31:11 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 2D483160048; Sun, 16 Oct 2016 22:31:11 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 6856756C80DE; Mon, 17 Oct 2016 09:31:09 +1100 (EST)
To: Ólafur Guðmundsson <olafur@cloudflare.com>
From: Mark Andrews <marka@isc.org>
References: <alpine.DEB.2.02.1610150806380.26951@uplift.swm.pp.se> <c1e14584-a444-37ef-1e4c-d1077ba4f384@bellis.me.uk> <alpine.DEB.2.02.1610151717420.12036@uplift.swm.pp.se> <0A83A7D9-E7E8-4494-86F9-F19AE96967D7@fl1ger.de> <alpine.DEB.2.02.1610151751210.12036@uplift.swm.pp.se> <11BD031F-EDBF-4DF6-A167-0240581EBD0F@apnic.net> <CAN6NTqz1Qk57KWFUio0jY36gkMi+HNmMvH4+PpSF-nhux+UXWg@mail.gmail.com> <alpine.DEB.2.02.1610161014330.12036@uplift.swm.pp.se> <CAN6NTqxxNyiK75RF1E9FkCH3Cb8D5fqf6HkSwxtXK_GyxCQmNw@mail.gmail.com>
In-reply-to: Your message of "Sun, 16 Oct 2016 12:29:04 -0400." <CAN6NTqxxNyiK75RF1E9FkCH3Cb8D5fqf6HkSwxtXK_GyxCQmNw@mail.gmail.com>
Date: Mon, 17 Oct 2016 09:31:09 +1100
Message-Id: <20161016223109.6856756C80DE@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RinF-JmHKQS20zpUG5vvslB52cU>
Cc: dnsop <dnsop@ietf.org>, Mikael Abrahamsson <swmike@swm.pp.se>
Subject: Re: [DNSOP] ECDSA woes
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Oct 2016 22:31:22 -0000
In message <CAN6NTqxxNyiK75RF1E9FkCH3Cb8D5fqf6HkSwxtXK_GyxCQmNw@mail.gmail.com>, =?UTF-8?B?w5NsYWZ1ciBHdcOwbXVuZHNzb24=?= writes: > I will be happy to do that, stay tuned as I need to create a special > signer for it :-) > > Olafur dnssec-signzone + awk + dnssec-dsfromkey works well. e.g. awk '$4 == "RRSIG" && $6 == 8 { $6 = 99 } $4 == "DNSKEY" && $7 == 8 { $7 = 99} { print }' Mark > On Sun, Oct 16, 2016 at 4:16 AM, Mikael Abrahamsson <swmike@swm.pp.se> > wrote: > > > On Sat, 15 Oct 2016, =C3=93lafur Gu=C3=B0mundsson wrote: > > > > I have domains signed by all combinations of signing algorithms and DS > >> digests as well as Nsec variants > >> Ds-n.alg-m-nsec.dnssec-test.org > >> > >> Replace n with 1..4 > >> M with 1..14 > >> Nsec is one of Nsec nsec3 none > >> > > > > I'd be veryinterested if you could create an algorithm called "99" (or > > something), and we could test that. Anyone not loading the "99" resource = > is > > violating the "SHOULD", even if they understand ECDSA. > > > > This would investigate ratio of problems when we want to introduce a new > > algorithm in the future. > > > > > > -- > > Mikael Abrahamsson email: swmike@swm.pp.se > > > > --94eb2c0cd28c3de9dd053efdf57f > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > <div dir=3D"ltr">I will be happy to do that, =C2=A0stay tuned as I need to = > create a special signer for it :-)=C2=A0<div><br></div><div>Olafur</div><di= > v><br></div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote"= > >On Sun, Oct 16, 2016 at 4:16 AM, Mikael Abrahamsson <span dir=3D"ltr"><= > <a href=3D"mailto:swmike@swm.pp.se" target=3D"_blank">swmike@swm.pp.se</a>&= > gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 = > 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=3D"">On Sat= > , 15 Oct 2016, =C3=93lafur Gu=C3=B0mundsson wrote:<br> > <br> > <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= > x #ccc solid;padding-left:1ex"> > I have domains signed by all combinations of signing algorithms and DS<br> > digests as well as Nsec variants<br> > <a href=3D"http://Ds-n.alg-m-nsec.dnssec-test.org" rel=3D"noreferrer" targe= > t=3D"_blank">Ds-n.alg-m-nsec.dnssec-test.or<wbr>g</a><br> > <br> > Replace n with 1..4<br> > M with 1..14<br> > Nsec is one of Nsec nsec3 none<br> > </blockquote> > <br></span> > I'd be veryinterested if you could create an algorithm called "99&= > quot; (or something), and we could test that. Anyone not loading the "= > 99" resource is violating the "SHOULD", even if they underst= > and ECDSA.<br> > <br> > This would investigate ratio of problems when we want to introduce a new al= > gorithm in the future.<div class=3D"HOEnZb"><div class=3D"h5"><br> > <br> > -- <br> > Mikael Abrahamsson=C2=A0 =C2=A0 email: <a href=3D"mailto:swmike@swm.pp.se" = > target=3D"_blank">swmike@swm.pp.se</a></div></div></blockquote></div><br></= > div> > > --94eb2c0cd28c3de9dd053efdf57f-- > > > --===============9042271128241020298== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > > --===============9042271128241020298==-- > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] ECDSA woes Mikael Abrahamsson
- Re: [DNSOP] ECDSA woes Ray Bellis
- Re: [DNSOP] ECDSA woes Roy Arends
- Re: [DNSOP] ECDSA woes Mikael Abrahamsson
- Re: [DNSOP] ECDSA woes Ralf Weber
- Re: [DNSOP] ECDSA woes Mikael Abrahamsson
- Re: [DNSOP] ECDSA woes Marek Vavruša
- Re: [DNSOP] ECDSA woes Geoff Huston
- Re: [DNSOP] ECDSA woes Ólafur Guðmundsson
- Re: [DNSOP] ECDSA woes Mikael Abrahamsson
- Re: [DNSOP] ECDSA woes Mikael Abrahamsson
- Re: [DNSOP] ECDSA woes Ólafur Guðmundsson
- Re: [DNSOP] ECDSA woes Mark Andrews
- Re: [DNSOP] ECDSA woes Mark Andrews
- Re: [DNSOP] ECDSA woes Jan Včelák
- Re: [DNSOP] ECDSA woes Dan York
- Re: [DNSOP] ECDSA woes Mark Andrews