Re: [DNSOP] More private algorithms for DNSSEC

Mark Andrews <marka@isc.org> Mon, 28 March 2022 11:00 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D71EF3A1185 for <dnsop@ietfa.amsl.com>; Mon, 28 Mar 2022 04:00:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=HOSGL4mI; dkim=pass (1024-bit key) header.d=isc.org header.b=JWXw4/Sw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rS0RujIyWSyB for <dnsop@ietfa.amsl.com>; Mon, 28 Mar 2022 04:00:34 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF8143A10E5 for <dnsop@ietf.org>; Mon, 28 Mar 2022 04:00:33 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 2045A3AB008; Mon, 28 Mar 2022 11:00:31 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 2045A3AB008
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1648465231; bh=p0PtkXDbLQGsgzieNI5TIRPJ9ZXrko+X/I4n+4PzWpg=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=HOSGL4mIer7E0GUKg5pZBPhqruAoQIcPfRVMP1DUxzpFNvMR80l0Tfm1/Q2TL9HWY CmTAir/vtwtML8M3HNMtRq/dJqyrrOtkn2JDlVx1FLa8mVihGYE2lq3PhA136YCZdm 1nDr/GYiegwhyeq+4aS9eeFnNftzje/uPb8vxfVs=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 9263A11043AC; Mon, 28 Mar 2022 10:59:32 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 6C59F11043FC; Mon, 28 Mar 2022 10:59:32 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 6C59F11043FC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1648465172; bh=btMUnf407A6IKYCUw2Z5FdQYALAdF2/qRKN322k1CZE=; h=From:Mime-Version:Date:Message-Id:To; b=JWXw4/SwcC/T0ueytnxl9MGihtG6J2owgN7ZLog+VtwFgzjNssixe3fnxVc9n8P+/ T3h3i5vPLAp1CVQnnmGDRMpU6XTHpZKfzx0g+9oETox9mLURZBZGc74MwsTxCdfS+Q 9AnSiWvJKQMFB6U08ziswM3xEuG7H3FXcXElVnTc=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id d-9mVP7DbJD6; Mon, 28 Mar 2022 10:59:32 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id EEF5111043AC; Mon, 28 Mar 2022 10:59:31 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Mon, 28 Mar 2022 22:00:27 +1100
Message-Id: <0306EA0D-FC94-46E4-A320-0F34C5F94190@isc.org>
References: <4569337c067704e1c609850779ba7bfe75a35d58.camel@desec.io>
Cc: Peter van Dijk <peter.van.dijk@powerdns.com>, dnsop WG <dnsop@ietf.org>
In-Reply-To: <4569337c067704e1c609850779ba7bfe75a35d58.camel@desec.io>
To: Nils Wisiol <nils@desec.io>
X-Mailer: iPhone Mail (19D52)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/USRpsM6vg3_pm4QfRNCFhGxvwj4>
Subject: Re: [DNSOP] More private algorithms for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 11:00:39 -0000

Bind treats it as unknown as there are no private types yet. If one decides to add support for a private type then you add the code to check the identifier of the private type and differentiate that from other private types. 

This behaviour is specified but not yet implemented. 

The same applies to OIDs. 

-- 
Mark Andrews

> On 28 Mar 2022, at 19:49, Nils Wisiol <nils@desec.io> wrote:
> 
> On Mon, 2022-03-28 at 12:23 +1100, Mark Andrews wrote:
>> Please quote where it is stated that “private is not for
>> experimentation”.
>> 
>> 
>> 
>> Private is private.  Do what you want with it as long as you identify
>> the
>> 
>> the algorithm uniquely and that includes experimental
>> implementations.
> 
> Hi Mark,
> 
> my understanding of 'private' is that I cannot have any expectations on
> how the resolver will treat it. Hence, when experimenting with new
> DNSSEC algorithms, 'private' is not the behavior I am interested in.
> Instead, I am interested how the resolver would treat my new algorithm
> if it was assigned a (regular, non-private) code point.
> 
> Arguing that resolvers would behave the same on unknown code points and
> private code points is difficult, as a large portion of users use
> closed-source implementations. You said yourself that BIND "currently"
> treats 253 as unknown; so different behavior is conceivable? This
> uncertainty can be partially addressed by reserving some code points
> for "unknown algorithms" behavior (rather than the semantics of 253).
> 
> While this will not solve all concerns with such studies, I'm not aware
> of significant downsides to reserving more code points. (Other than
> running out of numbers, do you have any other concern?)
> 
> Alternatively, people can just used unassigned numbers. I did that
> recently, and my impression was that people read that as me trying to
> create facts for a future official number assignment -- an impression
> that I did not intend to make and would like to avoid in the future.
> 
> Best,
> Nils
> 
> 
> -- 
> deSEC e.V. · Kyffhäuserstr. 5 · 10781 Berlin · Germany
> 
> Vorstandsvorsitz: Nils Wisiol
> Registergericht: AG Berlin (Charlottenburg) VR 37525
> 
>