Re: [DNSOP] [Ext] About key tags
Shumon Huque <shuque@gmail.com> Tue, 05 March 2024 02:06 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12906C180B72 for <dnsop@ietfa.amsl.com>; Mon, 4 Mar 2024 18:06:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1HDtcOka7lIc for <dnsop@ietfa.amsl.com>; Mon, 4 Mar 2024 18:06:37 -0800 (PST)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEA6BC1519A9 for <dnsop@ietf.org>; Mon, 4 Mar 2024 18:06:37 -0800 (PST)
Received: by mail-io1-xd34.google.com with SMTP id ca18e2360f4ac-7c403dbf3adso360553039f.1 for <dnsop@ietf.org>; Mon, 04 Mar 2024 18:06:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709604397; x=1710209197; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nKeUJR06RUvTeBPvNO+jEAZlmRxyvkRTCpEcySMkO78=; b=Ey3t/9j5gR3Hd3Vjf5llpZWRQkBCAKmU81mL2Q2mnjY5/ay6J4U7AcjlG6PvCRzIkn 4dR3Gg8qocVixQTZQY9zTq6Vv3z7JG/oWIyY24MitlTL3ctqRg+fhiOEOKiDf/FRgONP Fc0pHIwoYPfhAJkzI86h7W1YbbI4IZZOUJKDVq6QO5+uqwowgJeaSSZ95X2C+WVCCkT9 2svV6+ZzWWhUNDCf2uCdl/k4u3PTvdz4D3ke8mRQHl57j5ttwNugSj0RujS4HAqdK2ee ZU2h1e40bVLlTbAbPhQ83UzD+Ca8YKcrMHKOtBEIcpwfmgg7RIm41fIvwHv0LU4jcD1E wLAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709604397; x=1710209197; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nKeUJR06RUvTeBPvNO+jEAZlmRxyvkRTCpEcySMkO78=; b=LvtqTMZewGwmMovsd5EVR7Gtv8tj+lIG1j1FMS/kEnk3ULxRpeCsU7aZNfxY0yeMkP OwfN1t2lq5aSibtiiH1D8d3lS1d5IBzXXsbV+vJ8QdboCvePSBHKBSHWbFYXznM8YIjy gRQtbnX2nxrPd9Jp7EqDs3YP+0hEDg+RR6TSdL7gW4r53QI+W+wGKQR7fzslxJTcq56a QD2+K2Klo2Pk56z3D3ivwrBWytZtTb4T+ExoWeuM/97k6SPKv4fCmHQJ5k8KRCbwzkC/ TdZL9M4tiyc6WAxRYpDmmTFVZUevvsOQDPHu+VxVp3JsQdiDJB7zjf1A+8Ey7YRuf98T tKVA==
X-Gm-Message-State: AOJu0Yy9iDa3DHyDLDAEHVGIZcHgxv4OZGYAoIqVsie/2Z3zapdicBCp LujChWEAz0ONskaI8uPkaNXZu0ay3qy23zhV7F+95exvUcyJ5SGsK4F0W2AFtOF5TXGe4vGXlBR mkj7d3JsvTBuYar7S0W/T2rFCWvM=
X-Google-Smtp-Source: AGHT+IF46bIAPLkOqDoBHSYceOHTs7JTdw6HdrffiZ9QiCqlMS4JDZ/A1nAcohcUtR3k2C0OhjfApADmGEa4VVQslEI=
X-Received: by 2002:a05:6602:460b:b0:7c8:4342:7867 with SMTP id do11-20020a056602460b00b007c843427867mr7596262iob.13.1709604396920; Mon, 04 Mar 2024 18:06:36 -0800 (PST)
MIME-Version: 1.0
References: <BBA3FCAF-C5AA-40B0-A1E7-6773330A8E30@fl1ger.de> <FB36282B-5C87-4ED0-8669-D0438666F08D@strandkip.nl> <CANLjSvUi31srBhcUP513egeiKHGfMRyyRZrqYwLHug_n_i=K2A@mail.gmail.com> <D36D404C-C495-4838-BECA-417801327282@icann.org> <m1rg5V1-0000M5C@stereo.hq.phicoh.net> <5B66188E-0615-45C4-BAD3-F546F7F88254@icann.org> <m1rg7sM-0000LXC@stereo.hq.phicoh.net> <fbdb9145-4f98-469d-a8cb-b0a5dedd0ca2@desec.io> <m1rh3gl-0000KqC@stereo.hq.phicoh.net>
In-Reply-To: <m1rh3gl-0000KqC@stereo.hq.phicoh.net>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 04 Mar 2024 21:06:25 -0500
Message-ID: <CAHPuVdWQOJs0K8w1SfJ2hNf=C+POeFg7TG8YcWbQx9NR5yRurQ@mail.gmail.com>
To: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Cc: dnsop@ietf.org, Peter Thomassen <peter@desec.io>
Content-Type: multipart/alternative; boundary="000000000000c8f6d70612e04a35"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/W8S0d21Ay5TXCquzF0OwTwG7yzs>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 02:06:42 -0000
On Mon, Mar 4, 2024 at 3:29 AM Philip Homburg <pch-dnsop-5@u-1.phicoh.com> wrote: > > What I mean is that if we take all of the standards track DNSSEC RFCs and > we > add a new RFC that says something to the effect: > 1) A signer MUST NOT sign a DS or DNSKEY RRset if the set has duplicate key > tags. > 2) An authoritative DNS server MUST not serve a set of RRSIG records that > corresponds to a single RRset where the collection of RRSIG records has > a > duplicate key tag. > > then as far as I can tell, there is no conflict with currently published > standards track DNSSEC RFCs. > > In addition for most signers and authoritative servers it will be easy to > meet > those requirements and many signers are already in line with those > requirements. > > The only thing that prevents us from publishing such an update is an > informational RFC about multi-signers (or other practices that are not > documented or standardized within the IETF). Note that RFC 8901 is an IETF consensus document that was produced in the DNS Operations working group. So, we can't just dismiss it and propose protocol changes without considering effects on that (and other documents). As I also noted earlier, its status will likely be upgraded when we revise it. Furthermore, it is not as some have previously tried to characterize it, a niche configuration that only a few large enterprises will use. Multi-signer is a key enabler of non-disruptive transfers of signed zones across distinct providers. There is a currently adopted working group document (intended category: Standards Track) that is laying out the details of that process: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-automation/ Here's a presentation from Christian Elmerot, of a real world example of a recent successful multi-signer transition (.GOV from Verisign to Cloudflare): https://indico.dns-oarc.net/event/48/contributions/1038/attachments/1005/1948/gov-transition-nsec-nsec3.pdf Some (single) organizations are also looking at multi-signer techniques for deployments across distinct HSM vendors. Separately from multi-signer, I agree with John Levine's comments about not breaking existing configurations that are deployed in the field. Shumon.
- [DNSOP] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Arnold DECHAMPS
- Re: [DNSOP] About key tags Mark Andrews
- Re: [DNSOP] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] Re: About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Havard Eidnes
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Yorgos Thessalonikefs
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Donald Eastlake
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Bob Harold
- Re: [DNSOP] [Ext] About key tags Ted Lemon
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags libor.peltan
- Re: [DNSOP] [Ext] Re: About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags and sensible lim… John Levine
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags libor.peltan
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags and their infreq… John R Levine
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags and collision nu… John R Levine
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags and collision nu… Mark Andrews
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Ted Lemon
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Lanlan Pan
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Arnold DECHAMPS
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Bob Harold
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… John Levine
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… Philip Homburg
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… John Levine
- Re: [DNSOP] [Ext] About key tags Dave Lawrence
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Petr Špaček