[DNSOP] Re: Fwd: New Version Notification for draft-andrews-private-ds-digest-types-00.txt

Ben Schwartz <bemasc@meta.com> Tue, 23 July 2024 17:41 UTC

Return-Path: <prvs=2934cffcc9=bemasc@meta.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B50E4C1CAE89 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 10:41:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHHWI3XhZCma for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 10:41:33 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71530C19ECBB for <dnsop@ietf.org>; Tue, 23 Jul 2024 10:41:33 -0700 (PDT)
Received: from pps.filterd (m0109334.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 46NHS6Ek006359; Tue, 23 Jul 2024 10:41:33 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from :to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=s2048-2021-q4; bh=0doxELxLxf65u4+4 mf4SRrEnMOkl/zbv4uZM6BXs/UA=; b=Rkyac1rRITOKbTUbExKwDI8SC2RJ2CC7 fY/cyq5laJ6LOx3BSft+i6LLHVvKJ8nm+Ptgwz6bMQJZp1Ac9LXzjq3T9VoX/kkh 48km61pVtUpvKRssme5YcqKjICBupyPXX6ArLuYbv7pglHJ/8ad4JOg3YdcdEd95 gc+7XKXFHUxMieX8h+BB/xVFSG8hpF8Vi9qNY4LjeKD+sctSe4Bks7LpFyI04O3W v5p5uAZjtAagLqe+WwmbE3x0pkmyJhedc7j3Vwoj9YMbQRCdKa0w1FDc1EqauDmN GeUTR1hijxBJSluYUQbftDU7dGJCKwWI+YsHY7qQBBuWCQs3Stw2jQ==
Received: from nam04-bn8-obe.outbound.protection.outlook.com (mail-bn8nam04lp2049.outbound.protection.outlook.com [104.47.74.49]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 40hs6d8jg8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 Jul 2024 10:41:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nYCpW1dJSMRaBSRRIy2BUakJQln4G/47eEFKGVR0YJH2SJdZrYVT4V7Oc4L0V7+NGWm+vITJqs62LT6C+Z8Nd1vbkvSTuK/VncyGWRn+xqA3aD28CTLmFOTcBjV5h7zCtHuQp5f2zQhjoyhhuEQidxfpPYR5bRgB7zGylI1lKlHizrtOzm9JrcYGzGFrYcijDT4PXls0gxCpOTt2dkOnr54WMaDizUEdNl5jVBHotAeve0UYX9GUWM6lBz+U7LTmxvnlcW63GLCTFRL6sl0mn++zlDLvkKskYI3VM+VveLN4Y5vxMwt/rItI+yAy0PzxWnuN25CeKygVBwMDG9z8mQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KXuoJmdcsHHfAU+xYJqJzQTl0DfV7PtbTQODfReHKlg=; b=aCF5YWola6uFp17oI+SiMmF5fMsyxFjzMLmRYr15vfCGiChpAYGDABSwLK6D/lbzxY4sCzcntghkN+9dAsnTMmQh/kxJTwfqrbxTZBUve5ALuIIuOEn+WGZNCvyTYVv/txVRg0KXEUnf9CL5xDBRCbXqA0oZUAk+W4i0p8h9/gyssI8YaxAlJSkwYxcJ12wBdJBS1NCuSxQNPUB73v04IrOeTgXuNbrvI/72J0of0u/VQBPXrVWvn2cl+PJnNo6uwCyqiCzwLMsEBA7R73VmswqhfGPVApMd9PsV8eDo2EwKicHq7udokB5/bMWKQ1s0ZgHMSPl3+t0iXv8a3MTLYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by CO1PR15MB4812.namprd15.prod.outlook.com (2603:10b6:303:ff::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.29; Tue, 23 Jul 2024 17:41:29 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb%7]) with mapi id 15.20.7784.016; Tue, 23 Jul 2024 17:41:29 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Mark Andrews <marka@isc.org>
Thread-Topic: [DNSOP] Fwd: New Version Notification for draft-andrews-private-ds-digest-types-00.txt
Thread-Index: AQHa3FnTgSjFYTWdGki1PQS41g+flbIEZRBagAAczwCAAAjyKg==
Date: Tue, 23 Jul 2024 17:41:29 +0000
Message-ID: <SA1PR15MB43707E3420937C7FF9D2CB8CB3A92@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <SA1PR15MB43701E583A134C26A410C9A8B3A92@SA1PR15MB4370.namprd15.prod.outlook.com> <273D207B-0990-4323-9FBC-71BB1DBC4DE9@isc.org>
In-Reply-To: <273D207B-0990-4323-9FBC-71BB1DBC4DE9@isc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|CO1PR15MB4812:EE_
x-ms-office365-filtering-correlation-id: c1e66f61-ed5d-4f28-f412-08dcab3eaf4c
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: CigH/kO4h4bb6ecNo1wyFP3srOqjs2RmrD5MDlkpxbsa8iNc9HBUCbZYGzPhDf27/1bwzCbIjcSqE7ZTib7Y04oXux8BI0djvpqA/D1V6/5CdR2RVQfYJsFEVBmYY03sqloBeXRgxs7NCG1Los2U/H0wdwE+2xoPHkJTTOwbVzGScQYKwbpVp/IaR7JmH+SLfgQfGp4Ws2uVCFEA7SDjaFlqXZDNrD7XpGC6UUC9EJN+UZXl2WIstpcsBOsbXi5MVhb0vHcrqjjekLNyTYw0dy3R3yC7wpDDurTB4LpugKdSuMgiERvc9Q5Z/TimKGmQFa8Yv+c7CNOq3ZExlt0hXbsC5CFIeFov5NsFRGC/XqI/Iu9AAmdKzHPmIiyBHERIN0Z94M8fys+oX0hXrbp7y7cofw1jzbR/DSabPsBiwoLQLcFnWhCLzwDgtj6oEJbr3BVNWu24ImQ2fYmnBkdhgIINVsQSDDspAsb//UVdFA3g715u+j/mTIKRGUWRXzGbzVK0zmHy2yXyTkAizgW15IfzQOX9pUETwFjZe7hJW+UZfsPsekS6+U8bahEK8Fbma0BUW1rjXP7J1DwwzHd8JsORKerLxfAohz2pDg3yeud+mE5eal/IMQMLW9XhdXzltOxgEB7lwawPHhy6w2N+DDjUR2vVkx2xuLv5JHQSecFgMO5WvNWtQT/l2KNHq29gSdVU3FNeZX9z6Nc9BEcl/zaHNy8pOxbGugU0kydFp5HbJsIUuYwfAadKbkNc11oGrrACYP75ioyowDJThOGMxQFFUFDy7Mqw39Hw03Q+FSUwyuS+4XS/YGcLlqAqY7dCh0bXpYKwpJShnCr66fBvrNotMqseuqCWBdLLlxUKO08+N9ueK5SDWaqGLjr1AH+11al2WGkTVODRa8RB2+dA0dDXM70ZT8vWLOSWHFqRSut4+VC9eCI8ar1UYcKYSpAmwiYc+Zm+c1gT7jQcPN2xgaBCiiUVg+fQPHZXfivAoWibYdK+g6zru+bQDm3FNLHBLdrylSKYI6sAvrJiEabCbuvk4S+t8rsplHKR62IMK+1Zb0EFsRlB/nuWkR4FG6F7FxIu0TUA/SmggqGm2xFQzSIaB8dPpxPuthGx99hHV+SzN2WKg/0Zs2QiUm8TLhx3rFVaBCwiJBaS08OLJ59YStT2QXoT3zZd74kL3FdfDDlH91aZed6Q9jRM/93cESCollt5NaB17s8IvRt0PHgVLjKNgGlSjr02GkyFKGEJ7QJhZziGg4/4qKHVrcJSwds7kE4c4Ek0zlQIbiuWFmHNaKep9CGr4F0UE0Je/IAOLGf88M+dvrs/8w3pFmAnJAkA1eWcYXI0XZOax1dJopSF/h2U7DMG7zi8QfLQr5MK72Y=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RexGmSlcetnaKQJjrs8tE8Jrrklx+Fuhi6tEki3HFzG3dGaTGbPZp+ms6fDYmhA9fp+8BN3PT56xpbKgOYs8rj7TJ3zf7cPT+F5RmPBa2dFt8TzFbnvDf7kkYeEYPoX5eLZSOuHNilAQqYNQNI3mqbOThlrCg5GWohpGIAqfwtB3AQZRth0CltYJdwrYq+YYSh1AwHgdolyNwMqNLg3nIsLR8VKajhwYRuJrkN+oQ/o+rdOhme/gs8q3tGr+dhibwbSj4KxhkrUg9nk6Hp/Ke380K8i9ILT4MJjTNYFZ9CS8wP9DH7BeKHMpFzRJttR7V6KyfpcLOBaH7Ss+6xR/F8XDgwE/9uZaS6QcMWmyn6BdncAiPk90IoG6X1j3S5nNdet9wEDCFCf67cxbwEk4UvleYSPfCutjPzFH/hf2uMFlndnzjkg749nho0aP0AEpZ2FAdd6QvOluqQaBMfLWrCEISWTAc7RFR7Jy4UjR2udJyALcj+qKj+mQVlDCZCzk0Bu8lX7D/A8a065jPy8mLSCuyj6XqLPEO5Qh8jmToTRWI7K5PEeqPD+388Pqg2/AQ97+tEbdEWYklv8uT6EDWD7pCnuuuzrXXokGxxqohJOLtW6oT2c8hFWOaeiNKCSDT+PYpP3WkfK7PvEaKdKOBlLIMm380gYr+vtjrjxjoS2KCafC+4tigGBTKf6ZdY82iBiRaqfSGdPBYEiwmMW5QSDBqIwyol4C89RKOlFSz053sZdkE/k8nj5VzzrpYCbMk841O5Nbv8DHeA1HuvqidVzkGssvDb+aGSNzE9deRbILXTl/VfNPWUOdbYKPJ/d3Y87GaaPqXkOnl+DKfajs/NQ/CUTbFonkanKsG6Ihy79n/3TOpyz9+0luDa0ybN/wDejMnfhEY+zSTRnn11hgN8wUBKc9Df0aXgeCLNT3C4Zlii+qrMl9gLJ56oq/pmVw5wGmwTI5PldFDBJsiRqMPL8hbuilj7TTo6j8TpUwOsaaXO343C6NiHEEGPoaXjspYsKtA6WKihWox+19/uroJRXF+s/N5r2T/KjMziQ/uRUfvMknlI94/zgsWjY3mxo9IH1GuAHznKdAIu8aS690N2edymjOLH/M3Z2Xv8HR4/otIba4jkqNOCudOXFXON1f2+Sxz5KAPbIoDD9HyWMxsVZwvh0qlCoKI4kpJIqiKbagBsYT8xrjSReRoL6XUlx/xEq3TaQjdomA7/kSVLzpk1hc/av1g8fTXPcvlFb62WngvgB1YgpSVV4FtFjhpHxjYWx9f5K8OiWsyhrFmyghqIzrQg0+n5KNc8JZnDbV5xrTvPkELkM9BPc7w71PsX9cD80iaaO3s3hTcLNNkmTkCZIfduDYJ3e0NuycL5rTeHzLtjo03cNTGlwQcyP1tsj7yXnBxAgkHjXUA1gPRjOyIkyBFXsfUh3r/Ri6ghfCL++5R0gQUkyj//Vzxa4nLrYpSbdAcwqg8HFqWGudUVwTmfJPayDXUnbeD6ZFwvaBKyB+MsZ9idY71i93D+wjcmKWWqd7ITe+haqfhMzZ9gtSR6gN9wnWENb5NNBw8rYtVXf1Hc6bwNABphaSbJyRPbUwzrDAJGf53m4d7ER4rIgk0dtONdqC6WvZrwDYO0Kqstk=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB43707E3420937C7FF9D2CB8CB3A92SA1PR15MB4370namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c1e66f61-ed5d-4f28-f412-08dcab3eaf4c
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2024 17:41:29.6902 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: //053gZ0amcKGD7Y/W2M7qjRxKmIroHBbuyiG2bg8CFrKoMFrCqK6BIXg6crvKZD
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR15MB4812
X-Proofpoint-ORIG-GUID: o2bGMWM91RoK-u4tkr1KihgBjydlaiBQ
X-Proofpoint-GUID: o2bGMWM91RoK-u4tkr1KihgBjydlaiBQ
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-23_07,2024-07-23_02,2024-05-17_01
Message-ID-Hash: GGNW4AZ7ZJI6FTRLK2XIJQNV5TAKRBEV
X-Message-ID-Hash: GGNW4AZ7ZJI6FTRLK2XIJQNV5TAKRBEV
X-MailFrom: prvs=2934cffcc9=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification for draft-andrews-private-ds-digest-types-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UD4kv8xHNUNtEJCcILBPO5FEcjY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

OK, thanks for the explanation.  That helps me understand the scenario where this would be needed, but it seems like simpler solutions are possible.  For example, the resolver could be configured to restrict the use of PRIVATEDNS keys to specific subtrees where their usage is known.

This draft effectively turns PRIVATEDNS into a general-purpose extension point for _public_ DNSSEC algorithms.  These algorithms could be used interoperably in public, so they would be quite different from normal Private Use range values in an IANA registry.  That's an interesting idea, but it seems like a significant revolution in DNSSEC algorithm registration without an obvious motivation.

--Ben
________________________________
From: Mark Andrews <marka@isc.org>
Sent: Tuesday, July 23, 2024 12:28 PM
To: Ben Schwartz <bemasc@meta.com>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-andrews-private-ds-digest-types-00.txt

At the moment you can only have one private algorithm per key type world wide. This is all to do with how you prove a zone is to be treated as insecure. If example. com is using private. example. com and example. net is using private. example. net

At the moment you can only have one private algorithm per key type world wide.

This is all to do with how you prove a zone is to be treated as insecure.   If example.com is using private.example.com and example.net is using private.example.net how done  validator that knows about private.example.com prove that example.net response are to be treated as insecure when there is a DS with PRIVATEDNS returned?
--
Mark Andrews

On 23 Jul 2024, at 07:46, Ben Schwartz <bemasc@meta.com> wrote:


Two questions I didn't see addressed:

Why would a zone need to be signed with multiple private algorithms?

Why isn't it sufficient to treat all private algorithms as a single algorithm for DS purposes, and distinguish by the Key Tag and/or trial hashing?

--Ben Schwartz
________________________________
From: Mark Andrews <marka@isc.org>
Sent: Monday, July 22, 2024 1:08 PM
To: dnsop <dnsop@ietf.org>
Subject: [DNSOP] Fwd: New Version Notification for draft-andrews-private-ds-digest-types-00.txt

This addresses a gap in the DNSSEC specification. DS records need to identify specific DNSSEC algorithms rather than a set of DNSSEC algorithms. Begin forwarded message: From: internet-drafts@ ietf. org Subject: New Version Notification for draft-andrews-private-ds-digest-types-00. txt
This addresses a gap in the DNSSEC specification.  DS records need to identify specific DNSSEC algorithms rather than a set of DNSSEC algorithms.

Begin forwarded message:

From: internet-drafts@ietf.org
Subject: New Version Notification for draft-andrews-private-ds-digest-types-00.txt
Date: 22 July 2024 at 10:05:24 GMT-7
To: "M. Andrews" <marka@isc.org>, "Mark Andrews" <marka@isc.org>

A new version of Internet-Draft draft-andrews-private-ds-digest-types-00.txt
has been successfully submitted by Mark Andrews and posted to the
IETF repository.

Name:     draft-andrews-private-ds-digest-types
Revision: 00
Title:    Private DS Digest Types
Date:     2024-07-22
Group:    Individual Submission
Pages:    5
URL:      https://www.ietf.org/archive/id/draft-andrews-private-ds-digest-types-00.txt<https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-andrews-private-ds-digest-types-00.txt__;!!Bt8RZUm9aw!8QIT18AIL9ewonmo3nayaXnt_PX8h4hi70SPJjNzLRWNe6kEEmiVeLvmEm6RBqxGA5SwNi0$>
Status:   https://datatracker.ietf.org/doc/draft-andrews-private-ds-digest-types/<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-andrews-private-ds-digest-types/__;!!Bt8RZUm9aw!8QIT18AIL9ewonmo3nayaXnt_PX8h4hi70SPJjNzLRWNe6kEEmiVeLvmEm6RBqxG78jzG2E$>
HTMLized: https://datatracker.ietf.org/doc/html/draft-andrews-private-ds-digest-types<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-andrews-private-ds-digest-types__;!!Bt8RZUm9aw!8QIT18AIL9ewonmo3nayaXnt_PX8h4hi70SPJjNzLRWNe6kEEmiVeLvmEm6RBqxGSCgFVBk$>


Abstract:

  When DS records where defined the ability to fully identify the
  DNSSEC algorithms using PRIVATEDNS and PRIVATEOID was overlooked.

  This documents specifies 2 DS Algorithm Types which allow the DNSSEC
  algorithm sub type to be encoded in the DS record.



The IETF Secretariat



--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org