IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-belyavskiy-rfc5933-bis

Ondřej Surý <ondrej@isc.org> Tue, 16 June 2020 07:52 UTC

Return-Path: <ondrej@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 428CA3A110E; Tue, 16 Jun 2020 00:52:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ew5HowHcrn7i; Tue, 16 Jun 2020 00:52:50 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DE963A110D; Tue, 16 Jun 2020 00:52:50 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 8741B3AB002; Tue, 16 Jun 2020 07:52:50 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 6D05D16007B; Tue, 16 Jun 2020 07:52:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 504E016006B; Tue, 16 Jun 2020 07:52:50 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rFheDjvaGjEn; Tue, 16 Jun 2020 07:52:50 +0000 (UTC)
Received: from [10.10.11.185] (adria.kvarteto.net [82.113.55.18]) by zmx1.isc.org (Postfix) with ESMTPSA id 2AE49160006; Tue, 16 Jun 2020 07:52:49 +0000 (UTC)
From: Ondřej Surý <ondrej@isc.org>
Message-Id: <7FF83D52-F20B-4FF2-82AA-416835FCA5F4@isc.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_C975CBC1-94D8-4EF4-AC36-BFE2A0E60E06"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 16 Jun 2020 09:52:45 +0200
In-Reply-To: <A930F8C6-9C33-4933-AC37-579ACEF5B325@ogud.com>
Cc: Tim WIcinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
To: Olafur Gudmundsson <ogud@ogud.com>
References: <CADyWQ+H4713BnZDntTuVW0FrO59zZ9NFJ=J=n9JFFq2zmfy2pQ@mail.gmail.com> <A930F8C6-9C33-4933-AC37-579ACEF5B325@ogud.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UkVjQhbA4tz8NesBolB83BN81O4>
Subject: Re: [DNSOP] Call for Adoption: draft-belyavskiy-rfc5933-bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 07:52:52 -0000

Hi,

I do not hold as strong position as Olafur here, but I concur that the document
needs much better rationale. There’s no rationale for adopting the new GOST
algorithm at the moment and I would especially like to hear why GOST 2012
should be standardized and EC-KCDSA (Korean) and ECGDSA (German)
should not.

I specifically think that we should only standardize algorithms recommended
by cfrg such as RFC 7748 or RFC 8439 (just example, not applicable).

I consider the previous GOST standardization for DNSSEC to be a fiasco.

I would also ask the WG to require a implementation report before we send
this to WGLC. The support for GOST family of algorithms varies between
the various crypto libraries. I found it problematic for the DNS vendors that
OpenSSL supports the algs only in form of OpenSSL engine, and that said
engine had last release in 2018. The project activity looks fine, but issues
like this[1] don’t exactly fill me with trust, but at least there’s an active maintainer
for the project.

As of the adoption - I am indifferent, the things I mentioned could be done
with or without WG adopting the document, but I think that the document
should not become a RFC (not even Informational) before the items I
mentioned are cleared.

1. https://github.com/gost-engine/engine/issues/91

Ondrej
--
Ondřej Surý
ondrej@isc.org

> On 16 Jun 2020, at 04:42, Olafur Gudmundsson <ogud@ogud.com> wrote:
> 
> 
> Thom
> As I have before stated in the past, adding new DNSSEC algorithm is bad for interoperability,
> I oppose the adoption of this document unless there are better reasons put forward why this algorithm is better than
> the 4 ECC algorithms that have been standardized so far.
> Better in this case could be stronger, faster, better post-quantum resistance etc
> 
> Also I want to point out this last call did not specify track so my opposition is against all tracks, at this point.
> 
> Olafur
> 
> 
> 
> 
>> On Jun 3, 2020, at 5:07 PM, Tim Wicinski <tjw.ietf@gmail.com> wrote:
>> 
>> 
>> All,
>> 
>> As we stated in the meeting and in our chairs actions, we're going to run
>> regular call for adoptions over next few months.
>> We are looking for *explicit* support for adoption.
>> 
>> 
>> This starts a Call for Adoption for draft-belyavskiy-rfc5933-bis
>> 
>> The draft is available here: https://datatracker.ietf.org/doc/draft-belyavskiy-rfc5933-bis/
>> 
>> Please review this draft to see if you think it is suitable for adoption
>> by DNSOP, and comments to the list, clearly stating your view.
>> 
>> Please also indicate if you are willing to contribute text, review, etc.
>> 
>> This call for adoption ends: 15 June 2020
>> 
>> Thanks,
>> tim wicinski
>> DNSOP co-chair
>> 
>> 
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email