Re: [DNSOP] [Ext] DNSSEC Strict Mode
Bob Harold <rharolde@umich.edu> Fri, 26 February 2021 15:06 UTC
Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 032C03A09C0 for <dnsop@ietfa.amsl.com>; Fri, 26 Feb 2021 07:06:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5uhC0EXvq-F9 for <dnsop@ietfa.amsl.com>; Fri, 26 Feb 2021 07:06:34 -0800 (PST)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E28A23A0BDF for <dnsop@ietf.org>; Fri, 26 Feb 2021 07:06:31 -0800 (PST)
Received: by mail-qk1-x732.google.com with SMTP id q85so9300202qke.8 for <dnsop@ietf.org>; Fri, 26 Feb 2021 07:06:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K1DuFELR1WSySWBlkxljwHSB7hveYuDea0PP3ibbFOw=; b=jWDZHX0U/N5uuOOR4PpkoXlYjGfpfe5bOU89WxkUwmUUO4apYrTJ9WoFZ/2MzTXAiQ KJCYoTkbyZGFMr/2yG88b31RSLWvp9iQaVJWFtqhpMPOKaWZtTEQInedBysV9Pjg5a1j xRUHztv3PkTAkoiImz6A3Kjbtqwyvmw2KP6U+ASWyU+HeBqfGuPNH5K8u+P9zfcqDQuo 07Yp5JGoQoqhoMV3B7GwJMxLNz/mBpEkoe4ldLogJSeXQVAvROkMgRZ23nK472+iR92C qn8iC1nyf46JPgKQohZA8TEoVjgCcTu0VrhW/NftcgaacZk89vXMvJIrzqFXco3OQ8WX 74Sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K1DuFELR1WSySWBlkxljwHSB7hveYuDea0PP3ibbFOw=; b=ewZwjlACycpVKyI4BO/1b0x6ZNAHzPF1lchgezRTttUpCrk158jSLLNvVkrGZH4FKt 4DjKZlxhUb9vZMHw3ibSUVZPFRQ1UPzvmSfiMV4ie5bi3yRGPplotFRnrFeVtzgqwvpJ FcBUYC369c/gX9vI8KESjFJSH3RyTL9/FvBhNUi46L1XrpBGL2A2xWMgoV2EiYp/E+ve svN3s0I4WXcOvXdg/cVlYphnA2tD0PB2Esdu4Yb5Ub0cfMy1Tr32aAtW1uUUUTDV4C2j Mw5mxVbsobuxMCDrNJ2J8yL1AoYUtuwv+MjZQi4uem03GBuZqh7A91T6LZkmBlioTjPe s37w==
X-Gm-Message-State: AOAM532h4hYSSd7t5dn/u3oO0Ge5gzkvr2aRusjQCnge9cf/5JnZim8h JmlCm8tLMZn4wmHx7rP1WW57IGG5qh6Ejh7Sg2fxEg==
X-Google-Smtp-Source: ABdhPJzHJNfPvf+4gPIB+I2HFN8MYNKYCO+ozuy6kedS0+9RlwSOeDiIyoQxYn0kcad7g39ZkxVouhwwQ51vZCjKB8A=
X-Received: by 2002:a05:620a:1251:: with SMTP id a17mr2991820qkl.431.1614351990924; Fri, 26 Feb 2021 07:06:30 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <B2CF080D-7513-4414-9316-9999AF441F43@icann.org> <CAHbrMsAdbn85AUCY9Yr6XXU-6Ti4dKwR1=zncGj4z-SjznAF3w@mail.gmail.com> <76A8C023-AB7D-4D50-BE85-B1BAFDD3FBD4@icann.org>
In-Reply-To: <76A8C023-AB7D-4D50-BE85-B1BAFDD3FBD4@icann.org>
From: Bob Harold <rharolde@umich.edu>
Date: Fri, 26 Feb 2021 10:06:19 -0500
Message-ID: <CA+nkc8D4aC30ooepVDUewU_rSqh1XaBa2qCgE7izuEBALXczSw@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f635fc05bc3e9cf7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WNSuIuQKrbWEZWLg-vi0a2WPkY8>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 15:06:37 -0000
If you sign your zone with several algorithms, and mark them all 'Strict", you are asking my resolver to do extra work. I will probably configure my resolver to only validate with one algorithm. Maybe the strongest, maybe the least cpu intensive, my choice, not yours. -- Bob Harold On Thu, Feb 25, 2021 at 4:21 PM Paul Hoffman <paul.hoffman@icann.org> wrote: > On Feb 25, 2021, at 8:06 AM, Ben Schwartz <bemasc= > 40google.com@dmarc.ietf.org> wrote: > > > >> On Thu, Feb 25, 2021 at 10:26 AM Paul Hoffman <paul.hoffman@icann.org> > wrote: > >> In reading draft-schwartz-dnsop-dnssec-strict-mode, I still don't > understand why it is even useful. If I am signing one of my zones with two > algorithms, I must intend to do so. What is the value of me saying that > only one of the signing algorithms is the strong one? > >> > > That's not especially the intent. Currently, if you sign with two > algorithms, and either of those algorithms becomes insecure*, your zone > becomes susceptible to forgery. If you mark both algorithms as Strict, > then your zone remains secure (for validators who implement both algorithms > and this draft). > > *possibly unbeknownst to the public > > > If the algorithm becomes insecure and the public knows about it, I remove > that signature from my zone. > > If the algorithm because insecure and I don't know about it, I am at the > same risk as if my private key was compromised and I don't know about it. > > Again, this seems like it could only be marginally useful relative to good > signing practices. > > --Paul Hoffman > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode Petr Špaček
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] DNSSEC Strict Mode Ralf Weber
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Wes Hardaker
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Bob Harold
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- [DNSOP] Fwd: [Ext] DNSSEC Strict Mode Ulrich Wisser
- [DNSOP] signalling mandatory DNSSEC in the parent… Jim Reid
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Paul Wouters
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Havard Eidnes
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser