IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for Revised IANA Considerations for DNSSEC

Daniel Migault <mglt.ietf@gmail.com> Wed, 15 September 2021 21:51 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81AFA3A14D2; Wed, 15 Sep 2021 14:51:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jwtYVnl0TM1A; Wed, 15 Sep 2021 14:51:28 -0700 (PDT)
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 249E43A14CB; Wed, 15 Sep 2021 14:51:28 -0700 (PDT)
Received: by mail-qv1-xf2c.google.com with SMTP id a13so2887732qvo.9; Wed, 15 Sep 2021 14:51:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f6PRrNphv3v5imjqz/aEuor4DWEzjJOFg2qiWt/eH+4=; b=Ku9sqBhfGp2JJb+3wjbL0S/3/klC32/IlJCyz9BSWxnsDS4uGSt2wSyPtdoqHvMAdr ai7ZmbcyYn2NmA8L4E64vlR52ZD0PB6o48AVpEYSPiKnr2oXf0EVdWcUz9bya8E71YoC 9rGCnSWHW+Vw/eqWDrH87fcDUkUIiqzcWvTzsuBtObZyExkNK9i/fQd/c9N5N+M6w/ak ewI4IL8EY86hVvmcB/LzWctMUwSCTUczXJldpITsz9WHE6Dg5y+le2uqs1NDlShE3ibI W9H+ZkOUV5s1JKW7y+ViXdJd86WPDBBaKOWmhTZ/N07Mm1+olylfXBKK1d5lNm/jQSG9 MkPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f6PRrNphv3v5imjqz/aEuor4DWEzjJOFg2qiWt/eH+4=; b=J3H5aPcf2IK6YAOUq1UBYSDvZyv6JKqM04zsBnFuUTqgHjvLQsqVYE41qjchpMWz5w NyunDrG5koizysJUvcmEnMb635nrWXmXur8hBuCEin48ucj8CtYOrTUQPis5maFajYT3 DdmWpvj/VTm/PKbHKVRY/I6XjiiaXR1Os7eMji7Hc/Uiqgrqg2zL5FHdsPhugUP+gefn OTSO89iqFIcwAx0dWa7j+nST8gTFuucYz8dkfMjvDeYJngyFvN2CObht520kUYBL+kVv 6XkxrYoGjyELcKPI3+G8DkGvBDBFQ1GNlHfttlUy7ZSZmL9ewJGAAI8nks6FQ/4J7kn0 eqdg==
X-Gm-Message-State: AOAM530B5OImV/iIxFVS8f+WI6FpUx/Q13n0s6ZL3MfmYs/1SoJgw304 pIabi1mSA9SLgGKFPR+TTTyYPEXP+JdP+lT3hlw=
X-Google-Smtp-Source: ABdhPJy37MZ4tqijEd7sqU5A9M+u4jfojNritpZoOQ0CNPnuNm4lz2BQuP4P2V0u3Pj7flqexO2y6W1unr/XvjftuSE=
X-Received: by 2002:a05:6214:20eb:: with SMTP id 11mr2016042qvk.52.1631742685955; Wed, 15 Sep 2021 14:51:25 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+Fyi1M56t6WQ=0EB1yZf1tKP7uSiaZHLLtvDLn_KUHrng@mail.gmail.com> <CADyWQ+HGP0OTnH9YniM+XQc9dHMkTC4Amid8BoRm-1OZ=6Mkgw@mail.gmail.com> <CADZyTk=bQxJHw8b2eXYLnJYx+2hpEKZBerR5FN0_n5nEnQc3kA@mail.gmail.com> <f8997302-0325-7499-9cb4-4d971db2ec9d@nic.cz>
In-Reply-To: <f8997302-0325-7499-9cb4-4d971db2ec9d@nic.cz>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 15 Sep 2021 17:51:15 -0400
Message-ID: <CADZyTknMeK5Qygjj4kWF6Ouau8fPgyoPmkpc6SDrSa8qPp--HA@mail.gmail.com>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Cc: dnsop <dnsop@ietf.org>, last-call@ietf.org, draft-ietf-dnsop-dnssec-iana-cons@ietf.org
Content-Type: multipart/alternative; boundary="000000000000294af605cc0fb3aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/X_O5vNrpZxF01kbixhvu63Yh2IA>
Subject: Re: [DNSOP] Working Group Last Call for Revised IANA Considerations for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2021 21:51:34 -0000

Hi Vladimir,

Thanks for the feedback. Please see my responses inline.


On Wed, Sep 15, 2021 at 1:45 PM Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
wrote:

> On 15/09/2021 16.41, Daniel Migault wrote:
> > Outside experimentation, especially for national algorithms, this will
> > lead to nations having their algorithms qualified as standard while
> > other nations having their algorithms qualified as non standard. I
> > would like to understand why this cannot be a problem.
>
> I'm sorry, I'm a bit confused about which nations would get standard
> algorithms.  Are P-256 and P-384 considered "national" crypto?  I know
> they're from NIST, but they seem widely popular outside USA.
> Technically we have old GOST algo(s) on standards track, though they are
> already obsolete in its nation, so those? Or some other (planned)
> algorithm I've missed?  Apart from that, I personally think that
> allowing "cheaper" allocations of algorithm numbers *reduces* this
> disparity/problem instead of making it worse, but perhaps I'm missing
> the essence of the issue.
>
> The reason I am mentioning the national algorithm is that these motivated
the support for lowering the barrier for a code point allocation at least
during the call for adoption. I was wondering if such nations would find it
acceptable to have their algorithm as non standard. I do not have any
specific example in mind and as far as I know GOST is standard [1] - This
was already the case during the call for adoption and I suppose it was
mentioned as an example.
I am pretty sure similar cases will show up in the future, so we should
try, as you mention, to reduce these disparities. If that is not seen as an
issue, that is good. In any case the issue there was non technical.

[1] https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5933-bis/



> Interoperability could be mentioned for reference, though in practice
> having a standard does not necessarily help that much, e.g. Ed25519
> validation levels are still rather low after four years with standard
> and Ed448 is probably even worse:
> https://www.potaroo.net/ispcol/2021-06/eddi.html
>
> What I meant is that when a code point is adopted as a standard, there is
a commitment from most resolver developers to support it. Interoperability
is then provided when all resolvers are updated and it takes some time
(software life cycle management) for the system to provide
interoperability.
I agree with you that standard does not mean implemented by the resolver
but mostly because a standard algorithm may also be deprecated, and this is
why it seems to me useful to mention RFC8624 that defines the algorithms
that need to be implemented. In particular it would be good to know whether
non standard algorithms could be mandated by RFC8624 updates. If that is
not the case, as far as I understand it, non-standards are likely to never
be interoperable.
Ed* adoption shows that this takes more than 4 years to be deployed, but
its deployment status remains consistent with RFC8624.

As a result, if the software life cycle management time is long for a
standard algorithm, it is likely to take even longer to provide
interoperability (which I think is worth mentioning).  I also believe it is
helpful to have RFC8624 being referenced as which algorithm to implement
and deploy as opposed to relying on the status of the code point - which is
I think your point.

--Vladimir
>
>

-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email