IETF Logo Mail Archive

Re: [DNSOP] DNSSEC as a Best Current Practice

Bjørn Mork <bjorn@mork.no> Tue, 22 March 2022 09:35 UTC

Return-Path: <bjorn@miraculix.mork.no>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F17EA3A0D39 for <dnsop@ietfa.amsl.com>; Tue, 22 Mar 2022 02:35:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mork.no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_Y4e8tL2Eov for <dnsop@ietfa.amsl.com>; Tue, 22 Mar 2022 02:35:33 -0700 (PDT)
Received: from louie.mork.no (louie.mork.no [IPv6:2001:41c8:51:8a:feff:ff:fe00:e5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD63C3A1080 for <DNSOP@ietf.org>; Tue, 22 Mar 2022 02:35:21 -0700 (PDT)
Received: from canardo.dyn.mork.no ([IPv6:2a01:799:c9f:8600:0:0:0:1]) (authenticated bits=0) by louie.mork.no (8.15.2/8.15.2) with ESMTPSA id 22M9Z8A2538274 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=OK); Tue, 22 Mar 2022 09:35:12 GMT
Received: from miraculix.mork.no ([IPv6:2a01:799:c9f:8602:8cd5:a7b0:d07:d516]) (authenticated bits=0) by canardo.dyn.mork.no (8.15.2/8.15.2) with ESMTPSA id 22M9Z5ln1374777 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=OK); Tue, 22 Mar 2022 10:35:08 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mork.no; s=b; t=1647941708; bh=Kuc6+EwwIu/ovLOJpgM/o2TL6R5r0E4H3wkIH3XX7lg=; h=From:To:Cc:Subject:References:Date:Message-ID:From; b=lqKM2EndtKgYxjey1Dg8Wi5dEx+EKJN+q2u8s14OoDep8SsPUI4Z31C1cFUfor0HF ruYsy28ybU2Isgd6/XyGzTMRO9p31W3k616s0X+itiUOj11Re7JuXI65NJIKlzJvK9 fP/GFO8pbK9AzPqivYXKt9T5tM7ghUPTGslYAMFY=
Received: (nullmailer pid 1001698 invoked by uid 1000); Tue, 22 Mar 2022 09:35:04 -0000
From: Bjørn Mork <bjorn@mork.no>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc: "dnsop@ietf.org WG" <DNSOP@ietf.org>
Organization: m
References: <7aaed092-8877-ec15-9b7b-5d488e383d04@necom830.hpcl.titech.ac.jp> <7C43871E-60AF-485D-8AB3-65E72539F831@nohats.ca> <59fdc791-4482-141b-03b4-bc27e8824f31@necom830.hpcl.titech.ac.jp> <1cd37a4-2f80-5a8c-f377-d224a363d76@nohats.ca> <6d46abd6-60ca-d896-6408-fe83a83895cf@necom830.hpcl.titech.ac.jp> <CAH1iCir6OdMWZLFnP_=me+PFhYL+FxTjhEjKFO32+g61JgjnNg@mail.gmail.com> <4a33bbc9-b085-e8bc-4183-f55933e57786@necom830.hpcl.titech.ac.jp> <87pmme8j36.fsf@miraculix.mork.no> <163bfd78-c21d-084c-9f6d-9d29b80bcbd1@necom830.hpcl.titech.ac.jp>
Date: Tue, 22 Mar 2022 10:35:04 +0100
In-Reply-To: <163bfd78-c21d-084c-9f6d-9d29b80bcbd1@necom830.hpcl.titech.ac.jp> (Masataka Ohta's message of "Tue, 22 Mar 2022 18:05:43 +0900")
Message-ID: <87czie8h4n.fsf@miraculix.mork.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: clamav-milter 0.103.3 at canardo
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TMbkpObSAGPmz9uQhURuBEcYVDg>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 09:35:39 -0000

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> writes:

> Bjorn Mork wrote:
>
>>> Plain DNS with long enough message ID is secure enough.
>> Hello!
>> Can you please point me to the set of RFCs (or draft) which
>> describes
>> this "secure enough" alternative to DNSSEC?
>
> As I wrote "rely on DNS cookie or something like that",
> an example is in rfc7873.

Sorry for being slow, but you'll have to explain a lot more than that if
you want to convince me that DNS cookies and DNSSEC are equivalent
alternatives.  But maybe that wasn't your goal here? You're just happy
that you have seen the light and don't care if I understand what it is?

If so, then that's fine.  I don't understand why the announcement was
important though.

I was asking specifically for your alternative BCP.  "Go figure it
out by yourself with DNS cookie or something like that" just doesn't
make it.


Bjørn

v2.23.0 | Report a Bug | By Email