IETF Logo Mail Archive

Re: [DNSOP] FYI - Added note about ECDSA resolver issue in Sweden - Fwd: New Version Notification for draft-york-dnsop-deploying-dnssec-crypto-algs-02.txt

George Michaelson <ggm@algebras.org> Mon, 31 October 2016 04:22 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F113D129423 for <dnsop@ietfa.amsl.com>; Sun, 30 Oct 2016 21:22:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IqSZ7j4cILoE for <dnsop@ietfa.amsl.com>; Sun, 30 Oct 2016 21:22:45 -0700 (PDT)
Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 564871293F2 for <dnsop@ietf.org>; Sun, 30 Oct 2016 21:22:45 -0700 (PDT)
Received: by mail-vk0-x22f.google.com with SMTP id y123so96960314vka.3 for <dnsop@ietf.org>; Sun, 30 Oct 2016 21:22:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BxbmiNrbQkDIpPiXwxdD3il6ZeWg99ldRDxYjlD4RTU=; b=msgcPugICy6sP0zDRIs7zUfu2qt7n+vZHZd+N4yRWiq4e82ovbq7xi8xM8H+6mSEej xnFtqU+X63ZEVfOG5ZS9ohyxBFhB4q6z0ijxE62s+/9wZb/9HMP0g6QUPMpqcVxm0Xz4 DWLV7TzM4/2IsCpf0tJSBZZHDiAChn9S3bILQlq++a4y0xWsKETJoo5rjwGT+6Xz2mw4 VK9ir25pdL+4qInOrnVfBO8/yVevUyQGX+ZEkyY53N9CrdJfYk07vDFqUuKqeJv7lPd3 1xW67Lkdk7XjUgOBC74KgonBHbpxdh8nhmDlS5lYp4j39p6b48nySXL4N11ET7667qeW ZyEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BxbmiNrbQkDIpPiXwxdD3il6ZeWg99ldRDxYjlD4RTU=; b=Ok/dfZEt9j2xzw8ufzJjkZEu1+21Rm/wTf78ILYASB3qePgLmL69/sZkfk4PLz5RUL 9dT3zfSlFy7KTf7zdn9Kz+ECkM0vz+ylZAv/lXV1nFbgzOr0VkwB2qlV04AxPssn+uR6 ra551eVGT/tPd6zv/Tn5uuGY2Zfn3cC4HYjIUWLebWSSBJRHcrZZ2nd2iLSUb0OPkuWJ wVGjCSFbvzmALEHo/FaaAOxmMpLyZVDncKwdU5R4cLi/IyWyXlhqgUWyOlOaRcoCQK6S bb4yG+60jGgq8kB7YGuKXVE06uWSWikzCTOU4ommT9iS+qLnjgl7sNB2HNVTrchiRZxL sMpA==
X-Gm-Message-State: ABUngveuGU0kwMBdg6iJXQipEhziKRLn0wfJ9knKQFbTtjQubPMkBbGRydU69yxuiB9UZDCrvJwSloS2LK05wg==
X-Received: by 10.31.159.65 with SMTP id i62mr19897186vke.130.1477887764250; Sun, 30 Oct 2016 21:22:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.95.5 with HTTP; Sun, 30 Oct 2016 21:22:43 -0700 (PDT)
X-Originating-IP: [2001:dc0:a000:4:e1ae:4170:95b9:e21c]
In-Reply-To: <40E4B8B2-10D2-4F99-A9C9-3CD314C64478@isoc.org>
References: <147788503336.20653.10711027347255017481.idtracker@ietfa.amsl.com> <40E4B8B2-10D2-4F99-A9C9-3CD314C64478@isoc.org>
From: George Michaelson <ggm@algebras.org>
Date: Mon, 31 Oct 2016 14:22:43 +1000
Message-ID: <CAKr6gn0Yc4g37sH0-vZ8csSoq4n7GmFAwPwt17DVmZPcsE-3uA@mail.gmail.com>
To: Dan York <york@isoc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XWDyPK3dhI5Xat3ylm-wiRqAH5M>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] FYI - Added note about ECDSA resolver issue in Sweden - Fwd: New Version Notification for draft-york-dnsop-deploying-dnssec-crypto-algs-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2016 04:22:48 -0000

It is only my personal opinion, but I believe registrars are incorrect
in performing crypto alg checks on proffered DS, and this is an
entirely unwarranted, and incorrect understanding of their role. It
conflates one public good (checking) with another public good
(registry of data into the DNS) and assumes one out-ranks the other:
It doesn't, and the inability to track crypto alg change, makes the
checking wrong. Its the lesser of two evils to stop checking, and
permit unknown algorithms through.

I think this needs to be flagged up. Either they should be told to
stop, or the requirements for algorithm agility which their role
places on them should be made explicit.

-George

On Mon, Oct 31, 2016 at 1:49 PM, Dan York <york@isoc.org> wrote:
> FYI, I submitted a new version of this draft that added some text in the
> section about "Resolvers" that mentions the case Mikael Abrahamsson brought
> to us about how they had to disable DNSSEC validation in the CPE they
> deployed to their customers because the resolver software was not following
> RFC 4035 and was not ignoring signatures with unknown algorithms.
>
> Comments are of course welcome.
>
> For those who are interested in writing I-D's with markdown, I also
> transitioned the source of this version of the document to the flavor of
> markdown that works with Miek Gieben's 'mmark' processor. Paul Jones nicely
> packaged mmark and xml2rfc into a Docker container that works extremely
> well. This document and other links can be found in my Github repo at:
> https://github.com/danyork/draft-deploying-dnssec-crypto-algs
>
> Dan
>
> Begin forwarded message:
>
> From: <internet-drafts@ietf.org>
> Subject: New Version Notification for
> draft-york-dnsop-deploying-dnssec-crypto-algs-02.txt
> Date: October 30, 2016 at 11:37:13 PM EDT
> To: Ondrej Sury <ondrej.sury@nic.cz>, Olafur Gudmundsson
> <olafur+ietf@cloudflare.com>, Dan York <york@isoc.org>, " york@isoc.org"
> <york@isoc.org>, Paul Wouters <pwouters@redhat.com>
>
>
> A new version of I-D, draft-york-dnsop-deploying-dnssec-crypto-algs-02.txt
> has been successfully submitted by Dan York and posted to the
> IETF repository.
>
> Name: draft-york-dnsop-deploying-dnssec-crypto-algs
> Revision: 02
> Title: Observations on Deploying New DNSSEC Cryptographic Algorithms
> Document date: 2016-10-31
> Group: Individual Submission
> Pages: 9
> URL:
> https://www.ietf.org/internet-drafts/draft-york-dnsop-deploying-dnssec-crypto-algs-02.txt
> Status:
> https://datatracker.ietf.org/doc/draft-york-dnsop-deploying-dnssec-crypto-algs/
> Htmlized:
> https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-02
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-york-dnsop-deploying-dnssec-crypto-algs-02
>
> Abstract:
>   As new cryptographic algorithms are developed for use in DNSSEC
>   signing and validation, this document captures the steps needed for
>   new algorithms to be deployed and enter general usage.  The intent is
>   to ensure a common understanding of the typical deployment process
>   and potentially identify opportunities for improvement of operations.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
> --
> Dan York
> Senior Content Strategist, Internet Society
> york@isoc.org   +1-802-735-1624
> Jabber: york@jabber.isoc.org
> Skype: danyork   http://twitter.com/danyork
>
> http://www.internetsociety.org/
>
>
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.41.0 | Report a Bug | By Email | System Status