Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

Shumon Huque <shuque@gmail.com> Thu, 20 July 2017 10:11 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE489131BFC for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 03:11:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2zc4zWliK6J for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 03:11:35 -0700 (PDT)
Received: from mail-ua0-x22d.google.com (mail-ua0-x22d.google.com [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E23E12F290 for <dnsop@ietf.org>; Thu, 20 Jul 2017 03:11:35 -0700 (PDT)
Received: by mail-ua0-x22d.google.com with SMTP id w45so19310633uac.5 for <dnsop@ietf.org>; Thu, 20 Jul 2017 03:11:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XjmIik4H534eoLLpIA6SJ0oddvsK3LuXj0IbeHzThnA=; b=dytKQJ3LCZfTF5WWM85HoJW+xVMejf3Q/T2zosc/INBphJGeVfunSQTDlbJKGThbQB fyA1bO1iXFUwo41/KNT7rzrcUN7U6XjlegLmTtEiAt0fppTyhPWJylCoHM75yv/pyocB E8GKY7fVKqA2Jboa4HrcxVy8pOBL7+nTvLKrj4rCAsf4gBpnqXCQdIDQd82T+iFKyMNU 7fzcnDZw+QGomHMQOodCIEsMrMzDmbEfXJVEYJ5X+MmQzyTXVqcnJhP6dNVO5vW+vqgG UsguHRGPKhT6b7I242GOyujIXZdAQftQZRfgTPRbbSpb6gPx2nNS2hmSq5dSKbkjv4Of KCUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XjmIik4H534eoLLpIA6SJ0oddvsK3LuXj0IbeHzThnA=; b=HGa80MD3hlY7EZNXzKM8qUJQV31wcvIg4EsxKDsyr6py9LGJnADK0mPkM+TfRuDFWT Pn5vXIcS9soE7q0QnvkDoI90tJ3fzZ4ZkNalLyhDeTkn6j0+AdzAh+rkBdCNM8a3VhMm 5a00lsfhqXsu9zSOUqMAMPvx5As+2JdXRinBi8yNNTcGb4T9Jwa92+W9fvNrqghL8xwz Bd07kowEGFrQmMm+LzfbKfDE30J6qNFWHcghgDpgtjiJCJJuBM5ki1tmz5JNaHfDbRGX yV60KOHnOafOs+HGIYUvszK1CNBWeT5lZPCGu5voIbbGLpsscFjZT37KiXNSVrsqlwsc Li4w==
X-Gm-Message-State: AIVw111FMWfg3x5PbsK+Qm75eB7le84FfLz34J5D3PBUL6BYKV1D/ntB twe+IXlDuHmwwVO4RdaczYspXAEdb9AK
X-Received: by 10.176.2.116 with SMTP id 107mr1836861uas.203.1500545494323; Thu, 20 Jul 2017 03:11:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.91.78 with HTTP; Thu, 20 Jul 2017 03:11:33 -0700 (PDT)
In-Reply-To: <257a0f7a-a78d-d665-512f-ff2a71dfaede@nlnetlabs.nl>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CAN6NTqwi62xGtLnjNtV-CDCBKBV1TVEsCjbGUvtf_nxmcZEapw@mail.gmail.com> <CAHPuVdWisdPS3ezBsGSyX7Uh7Yw3HHcTaHHz3y9xA+Fow7G4Yw@mail.gmail.com> <CAN6NTqwB8b1aFsZg=LnaLWLrhLDe9-N3CVPO=qcHWXZTqSettg@mail.gmail.com> <CAHPuVdVGn0p9g5c-kXwmy_N2WtrGxDhcEG2mkxWyvh5XVTcMoQ@mail.gmail.com> <257a0f7a-a78d-d665-512f-ff2a71dfaede@nlnetlabs.nl>
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 20 Jul 2017 12:11:33 +0200
Message-ID: <CAHPuVdWzTO92mCF8Pg=5p9sxHYXat0wRsDj5WB9TF-jYOjOZ7Q@mail.gmail.com>
To: Willem Toorop <willem@nlnetlabs.nl>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a113e45d42897b00554bcf9aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XRLPmnhZ-vOtX4OT_WpoCF1tm7g>
Subject: Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 10:11:37 -0000

On Thu, Jul 20, 2017 at 11:48 AM, Willem Toorop <willem@nlnetlabs.nl>; wrote:

> Op 20-07-17 om 10:45 schreef Shumon Huque:
> > On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson
> > <olafur@cloudflare.com <mailto:olafur@cloudflare.com>> wrote:
> >
> >
> >     I disagree, if a zone operator selects "less-than" common algorithm
> >     they do that at their own risk,
> >     if the risk is not acceptable then it should dual sign....
> >
> >
> > Yes. The point I was trying to make is that DANE sites (and probably
> > others if they care about security) cannot afford to fail open. So they
> > have to dual sign if they can stomach the costs, or delay deploying new
> > algorithms for a long time. This draft is intended to (eventually) make
> > the dual signing case easier to deal with operationally.
>
> So,
>
> Providers of DANE backed services are stuck on the well-known
> algorithms, and do not have insight on algorithm support by clients
> verifying these services with DANE.
>
> This draft in combination with double signing, provides the means to
> deal with this (and in a secure manner too).
>
> I think this is an important motivation of this work and that this
> should be reflected in the Introduction section of the draft.
>
> -- Willem
>

Thank you Willem, and your point is noted. We will work on improving the
introduction to address this.

-- 
Shumon Huque